Comments (2)
嗯,你说的有道理,之前就是嫌麻烦没弄。不过,要防止拿 dom 貌似有其他思路比如:
`var window, document, top, self, parent; /*其他危险对象*/ return !!(${expression});}`
from amis.
这种方式可以部分避免,但也还是很容易绕过的,举个例子
const evalString = expression => new Function(`
var window, document, top, self, parent; /*其他危险对象*/ return !!(${expression});
`)
// 这样会报错
evalString('alert(document.cookie)')()
// 但稍微绕一下,就可以拿到 document 了
evalString('alert(LC40.getRootNode().cookie)')()
这里 LC40 是页面上一个 id ,任何 id 都可以直接拿到对应的 dom 对象。
这种属于黑名单机制,没法做到绝对安全的。
from amis.
Related Issues (20)
- 在select的onChange里给最外层data里的变量赋值 HOT 2
- amis 显示复杂的 echarts 图表 HOT 2
- amis-editor 变量赋值-组件变量 无法根据组件ID赋值变量 HOT 1
- 增删改查组件-缓存问题
- amis-editor-demo提交的依赖更新存在问题 HOT 4
- InputDatetimeRange 首次选择时无法选择00项/日期自动跳转/最大值限制无效 HOT 1
- picker组件回显不能根据id映射name HOT 3
- 基于 tinymce的富文本能否限制最大字数
- 下拉菜单DropDownButton中的下载按钮Button弹不出文件另存对话框
- crud组件为什么不推荐设置列的宽度
- 编辑器中配置自定义样式报错:Internal React error: Expected static flag was missing. HOT 1
- 希望公式编辑器支持国际化 HOT 1
- amis editor 表单JSON会自动添加,提交按钮 HOT 2
- 定义scaffoldForm编辑器脚手架 在不操作其中组件时 pipeOut中 获取不到对应组件变量
- 为什么线上的编辑器创建表单的时候,使用场景没有【查看】这个选项?
- 【input-time】,当设置小时范围,在没有选中小时的时候,直接点击确定,会变成00:00
- 【求救】form里面配置了一个service和其他组件,为什么service返回的数据会影响到service外部的组件,按我的理解不是应该service接口返回的数据只作用在service包裹的组件上么,是用得不对吗?谁能给出一个service不影响service外部组件的配置 HOT 3
- 数字框C默认值如果设置了公式“${a +b}”,a是1,b是2,c是5, c会显示成3,实际值5,5会被默认值3覆盖,这种情况不是应该取实际值显示么,为什么会被默认值覆盖呢 HOT 3
- crud按行编辑和按单元格编辑
- JSSDK中如何重写fetcher,在保持原有fetcher行为的有情况下,拦截处理http返回的非200/201状态码 HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from amis.