![\"\"](\"https:\/\/www.wsisp.com\/helps\/wp-content\/uploads\/2025\/08\/20250810152944-6898bae8e19e5.png\")
<\/p>\nhttps:\/\/www.youtube.com\/watch?v=iWoiwFRLV4I<\/p>\n
\n
<\/p>\n
\n
![\"\"](\"https:\/\/www.wsisp.com\/helps\/wp-content\/uploads\/2025\/08\/20250810152945-6898bae9684bf.png\")
<\/p>\n
\n
![\"\"](\"https:\/\/www.wsisp.com\/helps\/wp-content\/uploads\/2025\/08\/20250810152945-6898bae9ab39d.png\")
<\/p>\n
By the end of this room, you'll know how websites are created and will be introduced to some basic security issues. \u5728\u672c\u8bfe\u7ed3\u675f\u65f6,\u4f60\u5c06\u4e86\u89e3\u7f51\u7ad9\u662f\u5982\u4f55\u521b\u5efa\u7684,\u5e76\u5c06\u88ab\u4ecb\u7ecd\u4e00\u4e9b\u57fa\u672c\u7684\u5b89\u5168\u95ee\u9898\u3002<\/p>\n
When you visit a website, your browser (like Safari or Google Chrome) makes a request to a web server asking for information about the page you're visiting. It will respond with data that your browser uses to show you the page; a web server is just a dedicated computer somewhere else in the world that handles your requests. \u5f53\u4f60\u8bbf\u95ee\u4e00\u4e2a\u7f51\u7ad9\u65f6,\u4f60\u7684\u6d4f\u89c8\u5668 (\u5982 Safari \u6216 Google Chrome) \u4f1a\u5411 Web \u670d\u52a1\u5668\u53d1\u51fa\u8bf7\u6c42,\u8be2\u95ee\u5173\u4e8e\u4f60\u6b63\u5728\u8bbf\u95ee\u7684\u9875\u9762\u7684\u4fe1\u606f\u3002\u5b83\u4f1a\u4ee5\u4f60\u7684\u6d4f\u89c8\u5668\u7528\u6765\u5411\u4f60\u663e\u793a\u9875\u9762\u7684\u6570\u636e\u4f5c\u4e3a\u54cd\u5e94;Web \u670d\u52a1\u5668\u53ea\u662f\u4e16\u754c\u4e0a\u5176\u4ed6\u5730\u65b9\u7684\u4e00\u53f0\u4e13\u7528\u8ba1\u7b97\u673a,\u8d1f\u8d23\u5904\u7406\u4f60\u7684\u8bf7\u6c42\u3002<\/p>\n
\n
![\"\"](\"https:\/\/www.wsisp.com\/helps\/wp-content\/uploads\/2025\/08\/20250810152945-6898bae9e1d82.png\")
<\/p>\n
\n
![\"\"](\"https:\/\/www.wsisp.com\/helps\/wp-content\/uploads\/2025\/08\/20250810152946-6898baea24e9e.png\")
<\/p>\n
\n
There are two major components that make up a website: \u7f51\u7ad9\u4e3b\u8981\u7531\u4e24\u4e2a\u7ec4\u6210\u90e8\u5206\u6784\u6210:<\/p>\n
There are many other processes involved in your browser making a request to a web server, but for now, you just need to understand that you make a request to a server, and it responds with data your browser uses to render information to you. \u6d4f\u89c8\u5668\u5411 Web \u670d\u52a1\u5668\u53d1\u51fa\u8bf7\u6c42\u8fd8\u6d89\u53ca\u8bb8\u591a\u5176\u4ed6\u8fc7\u7a0b,\u4f46\u76ee\u524d,\u4f60\u53ea\u9700\u8981\u7406\u89e3\u4f60\u5411\u670d\u52a1\u5668\u53d1\u51fa\u4e86\u8bf7\u6c42,\u670d\u52a1\u5668\u4f1a\u7528\u6d4f\u89c8\u5668\u7528\u4e8e\u5411\u4f60\u5448\u73b0\u4fe1\u606f\u7684\u6570\u636e\u8fdb\u884c\u54cd\u5e94\u3002<\/p>\n
\n
![\"\"](\"https:\/\/www.wsisp.com\/helps\/wp-content\/uploads\/2025\/08\/20250810152946-6898baea76184.png\")
<\/p>\n
\n
![\"\"](\"https:\/\/www.wsisp.com\/helps\/wp-content\/uploads\/2025\/08\/20250810152946-6898baea9e58f.png\")
<\/p>\n
\n
![\"\"](\"https:\/\/www.wsisp.com\/helps\/wp-content\/uploads\/2025\/08\/20250810152946-6898baeab9f77.png\")
<\/p>\n
\n
![\"\"](\"https:\/\/www.wsisp.com\/helps\/wp-content\/uploads\/2025\/08\/20250810152947-6898baeb15eb5.png\")
<\/p>\n
\n
![\"\"](\"https:\/\/www.wsisp.com\/helps\/wp-content\/uploads\/2025\/08\/20250810152947-6898baeb62347.png\")
<\/p>\n
Websites are primarily created using: \u7f51\u7ad9\u4e3b\u8981\u662f\u901a\u8fc7\u4ee5\u4e0b\u65b9\u5f0f\u521b\u5efa\u7684:<\/p>\n
HyperText Markup Language (HTML) is the language websites are written in. Elements (also known as tags) are the building blocks of HTML pages and tells the browser how to display content. The code snippet below shows a simple HTML document, the structure of which is the same for every website: \u8d85\u6587\u672c\u6807\u8bb0\u8bed\u8a00 (HTML) \u662f\u7528\u4e8e\u7f16\u5199\u7f51\u7ad9\u7684\u8bed\u8a00\u3002\u5143\u7d20 (\u4e5f\u79f0\u4e3a\u6807\u7b7e) \u662f HTML \u9875\u9762\u7684\u6784\u5efa\u5757,\u544a\u8bc9\u6d4f\u89c8\u5668\u5982\u4f55\u663e\u793a\u5185\u5bb9\u3002\u4e0b\u9762\u7684\u4ee3\u7801\u7247\u6bb5\u663e\u793a\u4e86\u4e00\u4e2a\u7b80\u5355\u7684 HTML \u6587\u6863,\u5176\u7ed3\u6784\u5bf9\u4e8e\u6bcf\u4e2a\u7f51\u7ad9\u90fd\u662f\u76f8\u540c\u7684:<\/p>\n
\n
![\"\"](\"https:\/\/www.wsisp.com\/helps\/wp-content\/uploads\/2025\/08\/20250810152947-6898baebe052a.png\")
<\/p>\n
The HTML structure (as shown in the screenshot) has the following components: HTML \u7ed3\u6784 (\u5982\u622a\u56fe\u6240\u793a) \u5305\u542b\u4ee5\u4e0b\u7ec4\u4ef6:<\/p>\n
Tags can contain attributes such as the class attribute which can be used to style an element (e.g. make the tag a different color) <p class="bold-text">, or the src attribute which is used on images to specify the location of an image: <img src="img\/cat.jpg">.An element can have multiple attributes each with its own unique purpose, e.g., <p attribute1="value1" attribute2="value2">. \u6807\u7b7e\u53ef\u4ee5\u5305\u542b\u5c5e\u6027,\u4f8b\u5982\u7528\u4e8e\u6837\u5f0f\u5316\u5143\u7d20\u7684 class \u5c5e\u6027 (\u4f8b\u5982,\u4f7f\u6807\u7b7e\u5177\u6709\u4e0d\u540c\u7684\u989c\u8272)<p class=\u201c\u7c97\u4f53\u6587\u672c\u201d>, \u6216\u7528\u4e8e\u56fe\u50cf\u7684 src \u5c5e\u6027\u6765\u6307\u5b9a\u56fe\u50cf\u7684\u4f4d\u7f6e:<img src=\u201cimg\/cat.jpg\u201d>\u3002\u5143\u7d20\u53ef\u4ee5\u5177\u6709\u591a\u4e2a\u5c5e\u6027,\u6bcf\u4e2a\u5c5e\u6027\u90fd\u6709\u5176\u72ec\u7279\u7684\u7528\u9014,\u4f8b\u5982,<p attribute1=\u201cvalue1\u201d attribute2=\u201cvalue2\u201d>\u3002<\/p>\n
Elements can also have an id attribute (<p id="example">), which is unique to the element. Unlike the class attribute, where multiple elements can use the same class, an element must have different id's to identify them uniquely. Element id's are used for styling and to identify it by JavaScript. \u5143\u7d20\u4e5f\u53ef\u4ee5\u6709\u4e00\u4e2a id \u5c5e\u6027 (<p id=\u201cexample\u201d>), \u8fd9\u4e2a\u5c5e\u6027\u5bf9\u5143\u7d20\u6765\u8bf4\u662f\u552f\u4e00\u7684\u3002\u4e0e class \u5c5e\u6027\u4e0d\u540c,\u5728 class \u5c5e\u6027\u4e2d,\u591a\u4e2a\u5143\u7d20\u53ef\u4ee5\u4f7f\u7528\u76f8\u540c\u7684\u7c7b,\u800c\u5143\u7d20\u5fc5\u987b\u6709\u4e0d\u540c\u7684 id \u624d\u80fd\u552f\u4e00\u6807\u8bc6\u5b83\u4eec\u3002\u5143\u7d20\u7684 id \u7528\u4e8e\u6837\u5f0f\u8bbe\u8ba1\u548c JavaScript \u6807\u8bc6\u3002<\/p>\n
You can view the HTML of any website by right-clicking and selecting "View Page Source" (Chrome) \/ "Show Page Source" (Safari). \u60a8\u53ef\u4ee5\u901a\u8fc7\u53f3\u952e\u5355\u51fb\u5e76\u9009\u62e9 \u201c\u67e5\u770b\u9875\u9762\u6e90\u4ee3\u7801\u201d(Chrome)\/\u201c\u663e\u793a\u9875\u9762\u6e90\u4ee3\u7801\u201d(Safari) \u6765\u67e5\u770b\u4efb\u4f55\u7f51\u7ad9\u7684 HTML\u3002<\/p>\n
\n
![\"\"](\"https:\/\/www.wsisp.com\/helps\/wp-content\/uploads\/2025\/08\/20250810152948-6898baec37705.png\")
<\/p>\n
\u70b9\u51fb\u4e00\u4e0b\u90a3\u4e2aview site<\/p>\n
\u5c31\u884c<\/p>\n
\n
![\"\"](\"https:\/\/www.wsisp.com\/helps\/wp-content\/uploads\/2025\/08\/20250810152948-6898baecc92bc.png\")
<\/p>\n
\u6539\u5b8c\u4e4b<\/p>\n
\n
![\"\"](\"https:\/\/www.wsisp.com\/helps\/wp-content\/uploads\/2025\/08\/20250810152949-6898baedae17a.png\")
<\/p>\n
\u7b54\u6848\u5c31\u662f\u56fe\u7247\u91cc\u9762\u7684 HTMLHERO<\/p>\n
\n
\n
![\"\"](\"https:\/\/www.wsisp.com\/helps\/wp-content\/uploads\/2025\/08\/20250810152950-6898baee87760.png\")
<\/p>\n
\n
![\"\"](\"https:\/\/www.wsisp.com\/helps\/wp-content\/uploads\/2025\/08\/20250810152951-6898baef2edb8.png\")
<\/p>\n
<img src='img\/dog-1.png'> <\/p>\n
\n
![\"\"](\"https:\/\/www.wsisp.com\/helps\/wp-content\/uploads\/2025\/08\/20250810152952-6898baf02d81f.png\")
<\/p>\n
\n
\n
\n
![\"\"](\"https:\/\/www.wsisp.com\/helps\/wp-content\/uploads\/2025\/08\/20250810152953-6898baf13743b.png\")
<\/p>\n
\n
![\"\"](\"https:\/\/www.wsisp.com\/helps\/wp-content\/uploads\/2025\/08\/20250810152953-6898baf19c938.png\")
<\/p>\n
JavaScript (JS) is one of the most popular coding languages in the world and allows pages to become interactive. HTML is used to create the website structure and content, while JavaScript is used to control the functionality of web pages – without JavaScript, a page would not have interactive elements and would always be static. JS can dynamically update the page in real-time, giving functionality to change the style of a button when a particular event on the page occurs (such as when a user clicks a button) or to display moving animations. JavaScript (JS) \u662f\u4e16\u754c\u4e0a\u6700\u6d41\u884c\u7684\u7f16\u7a0b\u8bed\u8a00\u4e4b\u4e00,\u5b83\u5141\u8bb8\u9875\u9762\u53d8\u5f97\u5177\u6709\u4ea4\u4e92\u6027\u3002HTML \u7528\u4e8e\u521b\u5efa\u7f51\u7ad9\u7ed3\u6784\u548c\u5185\u5bb9,\u800c JavaScript \u7528\u4e8e\u63a7\u5236 Web \u9875\u9762\u7684\u529f\u80fd \u2014\u2014 \u5982\u679c\u6ca1\u6709 JavaScript, \u9875\u9762\u5c06\u6ca1\u6709\u4ea4\u4e92\u5143\u7d20,\u5e76\u4e14\u59cb\u7ec8\u662f\u9759\u6001\u7684\u3002JS \u53ef\u4ee5\u5b9e\u65f6\u52a8\u6001\u66f4\u65b0\u9875\u9762,\u5f53\u9875\u9762\u4e0a\u53d1\u751f\u7279\u5b9a\u4e8b\u4ef6\u65f6 (\u4f8b\u5982,\u5f53\u7528\u6237\u70b9\u51fb\u6309\u94ae\u65f6), \u53ef\u4ee5\u66f4\u6539\u6309\u94ae\u7684\u6837\u5f0f,\u6216\u663e\u793a\u52a8\u753b\u3002<\/p>\n
JavaScript is added within the page source code and can be either loaded within <script> tags or can be included remotely with the src attribute: <script src="\/location\/of\/javascript_file.js"><\/script> JavaScript \u88ab\u6dfb\u52a0\u5230\u9875\u9762\u6e90\u4ee3\u7801\u4e2d,\u53ef\u4ee5\u5728 <script> \u6807\u7b7e\u4e2d\u52a0\u8f7d,\u4e5f\u53ef\u4ee5\u901a\u8fc7 src \u5c5e\u6027\u8fdc\u7a0b\u5305\u542b:<script src="\/location\/of\/javascript_file.js"><\/script><\/p>\n
The following JavaScript code finds a HTML element on the page with the id of "demo" and changes the element's contents to "Hack the Planet" : document.getElementById("demo").innerHTML = "Hack the Planet"; \u4ee5\u4e0b JavaScript \u4ee3\u7801\u5728\u9875\u9762\u4e0a\u627e\u5230\u4e00\u4e2a ID \u4e3a \u201cdemo\u201d \u7684 HTML \u5143\u7d20,\u5e76\u5c06\u8be5\u5143\u7d20\u7684\u5185\u5bb9\u66f4\u6539\u4e3a \u201cHack the Planet\u201d:document.getElementById ("demo").innerHTML =\u201cHack the Planet\u201d;<\/p>\n
HTML elements can also have events, such as "onclick" or "onhover" that execute JavaScript when the event occurs. The following code changes the text of the element with the demo ID to Button Clicked: <button onclick='document.getElementById("demo").innerHTML = "Button Clicked";'>Click Me!<\/button> – onclick events can also be defined inside the JavaScript script tags, and not on elements directly. HTML \u5143\u7d20\u4e5f\u53ef\u4ee5\u5305\u542b\u4e8b\u4ef6,\u4f8b\u5982 \u201conclick\u201d \u6216 \u201conhover\u201d, \u8fd9\u4e9b\u4e8b\u4ef6\u5728\u4e8b\u4ef6\u53d1\u751f\u65f6\u6267\u884c JavaScript\u3002\u4ee5\u4e0b\u4ee3\u7801\u5c06\u5177\u6709 demo ID \u7684\u5143\u7d20\u6587\u672c\u66f4\u6539\u4e3a \u201cButton Clicked\u201d:<button \u03bfnclick=\u2018document.getElementById ("demo").innerHTML=\u201cButton Clicked\u201d;\u2018>Click Me!<\/button>\u2014\u2014onclick \u4e8b\u4ef6\u4e5f\u53ef\u4ee5\u5728 JavaScript \u811a\u672c\u6807\u7b7e\u4e2d\u5b9a\u4e49,\u800c\u4e0d\u662f\u76f4\u63a5\u5728\u5143\u7d20\u4e0a\u5b9a\u4e49\u3002<\/p>\n
\n
![\"\"](\"https:\/\/www.wsisp.com\/helps\/wp-content\/uploads\/2025\/08\/20250810152954-6898baf22b085.png\")
<\/p>\n
\n
![\"\"](\"2025-08-10lbkbit1nev1.png\")
<\/p>\n
\n
![\"\"](\"2025-08-10jaozbblrenf.png\")
<\/p>\n
\n
![\"\"](\"2025-08-10ygnw3dohzgo.png\")
<\/p>\n
\n
![\"\"](\"2025-08-100pxgxpp113j.png\")
<\/p>\n
Sensitive Data Exposure occurs when a website doesn't properly protect (or remove) sensitive clear-text information to the end-user; usually found in a site's frontend source code. \u5f53\u7f51\u7ad9\u672a\u80fd\u9002\u5f53\u5730\u4fdd\u62a4 (\u6216\u5220\u9664) \u654f\u611f\u7684\u660e\u6587\u4fe1\u606f\u7ed9\u6700\u7ec8\u7528\u6237\u65f6,\u5c31\u4f1a\u53d1\u751f\u654f\u611f\u6570\u636e\u6cc4\u9732;\u8fd9\u4e9b\u4fe1\u606f\u901a\u5e38\u5b58\u5728\u4e8e\u7f51\u7ad9\u7684\u524d\u7aef\u6e90\u4ee3\u7801\u4e2d\u3002<\/p>\n
We now know that websites are built using many HTML elements (tags), all of which we can see simply by "viewing the page source". A website developer may have forgotten to remove login credentials, hidden links to private parts of the website or other sensitive data shown in HTML or JavaScript. \u6211\u4eec\u73b0\u5728\u77e5\u9053\u7f51\u7ad9\u662f\u4f7f\u7528\u8bb8\u591a HTML \u5143\u7d20 (\u6807\u7b7e) \u6784\u5efa\u7684,\u6240\u6709\u8fd9\u4e9b\u5143\u7d20\u90fd\u53ef\u4ee5\u901a\u8fc7\u7b80\u5355\u7684 \u201c\u67e5\u770b\u9875\u9762\u6e90\u4ee3\u7801\u201d \u6765\u67e5\u770b\u3002\u7f51\u7ad9\u5f00\u53d1\u4eba\u5458\u53ef\u80fd\u5fd8\u8bb0\u5220\u9664\u767b\u5f55\u51ed\u636e\u3001\u6307\u5411\u7f51\u7ad9\u79c1\u6709\u90e8\u5206\u7684\u9690\u85cf\u94fe\u63a5,\u6216\u8005 HTML \u6216 JavaScript \u4e2d\u663e\u793a\u7684\u5176\u4ed6\u654f\u611f\u6570\u636e\u3002<\/p>\n
\n
![\"\"](\"2025-08-10qjwtgqbkfgk.png\")
<\/p>\n
Sensitive information can be potentially leveraged to further an attacker's access within different parts of a web application. For example, there could be HTML comments with temporary login credentials, and if you viewed the page's source code and found this, you could use these credentials to log in elsewhere on the application (or worse, used to access other backend components of the site). \u654f\u611f\u4fe1\u606f\u53ef\u80fd\u88ab\u7528\u4e8e\u8fdb\u4e00\u6b65\u5229\u7528\u653b\u51fb\u8005\u5bf9 Web \u5e94\u7528\u7a0b\u5e8f\u4e0d\u540c\u90e8\u5206\u7684\u8bbf\u95ee\u3002\u4f8b\u5982,\u53ef\u80fd\u4f1a\u51fa\u73b0\u5e26\u6709\u4e34\u65f6\u767b\u5f55\u51ed\u636e\u7684 HTML \u6ce8\u91ca,\u5982\u679c\u4f60\u67e5\u770b\u9875\u9762\u7684\u6e90\u4ee3\u7801\u5e76\u53d1\u73b0\u8fd9\u4e00\u70b9,\u4f60\u53ef\u4ee5\u4f7f\u7528\u8fd9\u4e9b\u51ed\u636e\u5728\u5e94\u7528\u7a0b\u5e8f\u7684\u5176\u4ed6\u5730\u65b9\u767b\u5f55 (\u6216\u8005\u66f4\u7cdf,\u7528\u4e8e\u8bbf\u95ee\u7f51\u7ad9\u7684\u5176\u4ed6\u540e\u7aef\u7ec4\u4ef6)\u3002<\/p>\n
Whenever you're assessing a web application for security issues, one of the first things you should do is review the page source code to see if you can find any exposed login credentials or hidden links. \u6bcf\u5f53\u4f60\u8bc4\u4f30 Web \u5e94\u7528\u7a0b\u5e8f\u7684\u5b89\u5168\u95ee\u9898\u65f6,\u9996\u5148\u8981\u505a\u7684\u4e8b\u60c5\u4e4b\u4e00\u5c31\u662f\u68c0\u67e5\u9875\u9762\u6e90\u4ee3\u7801,\u770b\u770b\u662f\u5426\u80fd\u627e\u5230\u4efb\u4f55\u66b4\u9732\u7684\u767b\u5f55\u51ed\u636e\u6216\u9690\u85cf\u7684\u94fe\u63a5<\/p>\n
\n
![\"\"](\"2025-08-102ok41pj3xbx.png\")
<\/p>\n
\n
![\"\"](\"2025-08-10xhykzemrbnn.png\")
<\/p>\n
\n
![\"\"](\"2025-08-101pjau4qruzk.png\")
<\/p>\n
\n
\n
\n
\n
![\"\"](\"2025-08-10kdifkog0tip.png\")
<\/p>\n
\n
![\"\"](\"2025-08-1040pbbmroupq.png\")
<\/p>\n
\n
![\"\"](\"2025-08-10tktehv13hah.png\")
<\/p>\n
HTML Injection is a vulnerability that occurs when unfiltered user input is displayed on the page. If a website fails to sanitise user input (filter any "malicious" text that a user inputs into a website), and that input is used on the page, an attacker can inject HTML code into a vulnerable website. HTML \u6ce8\u5165\u662f\u4e00\u79cd\u6f0f\u6d1e,\u5f53\u9875\u9762\u4e0a\u663e\u793a\u672a\u7ecf\u8fc7\u6ee4\u7684\u7528\u6237\u8f93\u5165\u65f6,\u5c31\u4f1a\u53d1\u751f\u8fd9\u79cd\u60c5\u51b5\u3002\u5982\u679c\u7f51\u7ad9\u672a\u80fd\u6e05\u7406\u7528\u6237\u8f93\u5165 (\u8fc7\u6ee4\u7528\u6237\u8f93\u5165\u5230\u7f51\u7ad9\u7684\u4efb\u4f55 \u201c\u6076\u610f\u201d \u6587\u672c), \u5e76\u4e14\u8be5\u8f93\u5165\u5728\u9875\u9762\u4e0a\u88ab\u4f7f\u7528,\u653b\u51fb\u8005\u5c31\u53ef\u4ee5\u5411\u6613\u53d7\u653b\u51fb\u7684\u7f51\u7ad9\u6ce8\u5165 HTML \u4ee3\u7801\u3002<\/p>\n
Input sanitisation is very important in keeping a website secure, as information a user inputs into a website is often used in other frontend and backend functionality. A vulnerability you'll explore in another lab is database injection, where you can manipulate a database lookup query to log in as another user by controlling the input that's directly used in the query – but for now, let's focus on HTML injection (which is client-side). \u8f93\u5165\u6e05\u7406\u5bf9\u4e8e\u4fdd\u6301\u7f51\u7ad9\u5b89\u5168\u975e\u5e38\u91cd\u8981,\u56e0\u4e3a\u7528\u6237\u8f93\u5165\u7f51\u7ad9\u7684\u4fe1\u606f\u901a\u5e38\u7528\u4e8e\u5176\u4ed6\u524d\u7aef\u548c\u540e\u7aef\u529f\u80fd\u3002\u4f60\u5c06\u5728\u53e6\u4e00\u4e2a\u5b9e\u9a8c\u5ba4\u4e2d\u63a2\u8ba8\u7684\u4e00\u4e2a\u6f0f\u6d1e\u662f\u6570\u636e\u5e93\u6ce8\u5165,\u5728\u90a3\u91cc,\u4f60\u53ef\u4ee5\u901a\u8fc7\u63a7\u5236\u67e5\u8be2\u4e2d\u76f4\u63a5\u4f7f\u7528\u7684\u8f93\u5165\u6765\u64cd\u4f5c\u6570\u636e\u5e93\u67e5\u8be2\u67e5\u8be2,\u4ee5\u53e6\u4e00\u4e2a\u7528\u6237\u7684\u8eab\u4efd\u767b\u5f55 \u2014\u2014 \u4f46\u73b0\u5728,\u8ba9\u6211\u4eec\u96c6\u4e2d\u5173\u6ce8 HTML \u6ce8\u5165 (\u8fd9\u662f\u5ba2\u6237\u7aef\u7684\u529f\u80fd)\u3002<\/p>\n
When a user has control of how their input is displayed, they can submit HTML (or JavaScript) code, and the browser will use it on the page, allowing the user to control the page's appearance and functionality. \u5f53\u7528\u6237\u53ef\u4ee5\u63a7\u5236\u5176\u8f93\u5165\u7684\u663e\u793a\u65b9\u5f0f\u65f6,\u4ed6\u4eec\u53ef\u4ee5\u63d0\u4ea4 HTML (\u6216 JavaScript) \u4ee3\u7801,\u6d4f\u89c8\u5668\u5c06\u5728\u9875\u9762\u4e0a\u4f7f\u7528\u8be5\u4ee3\u7801,\u4ece\u800c\u5141\u8bb8\u7528\u6237\u63a7\u5236\u9875\u9762\u7684\u5916\u89c2\u548c\u529f\u80fd\u3002<\/p>\n
\n
![\"\"](\"2025-08-10v253es4s0cf.png\")
<\/p>\n
\n
![\"\"](\"2025-08-10ejlm04aq5f5.png\")
<\/p>\n
The image above shows how a form outputs text to the page. Whatever the user inputs into the "What's your name" field is passed to a JavaScript function and output to the page, which means if the user adds their own HTML or JavaScript in the field, it's used in the sayHi function and is added to the page – this means you can add your own HTML (such as a <h1> tag) and it will output your input as pure HTML. \u4e0a\u56fe\u663e\u793a\u4e86\u8868\u5355\u5982\u4f55\u5c06\u6587\u672c\u8f93\u51fa\u5230\u9875\u9762\u3002\u65e0\u8bba\u7528\u6237\u5728 \u201cWhat is your name\u201d \u5b57\u6bb5\u4e2d\u8f93\u5165\u4ec0\u4e48,\u90fd\u4f1a\u4f20\u9012\u7ed9 JavaScript \u51fd\u6570\u5e76\u8f93\u51fa\u5230\u9875\u9762\u3002\u8fd9\u610f\u5473\u7740,\u5982\u679c\u7528\u6237\u5728\u8be5\u5b57\u6bb5\u4e2d\u6dfb\u52a0\u4e86\u81ea\u5df1\u7684 HTML \u6216 JavaScript, \u5b83\u5c06\u88ab sayHi \u51fd\u6570\u4f7f\u7528\u5e76\u6dfb\u52a0\u5230\u9875\u9762\u4e2d \u2014\u2014 \u8fd9\u610f\u5473\u7740\u4f60\u53ef\u4ee5\u6dfb\u52a0\u81ea\u5df1\u7684 HTML (\u4f8b\u5982 < h1> \u6807\u7b7e), \u5b83\u4f1a\u5c06\u4f60\u7684\u8f93\u5165\u8f93\u51fa\u4e3a\u7eaf HTML\u3002<\/p>\n
The general rule is never to trust user input. To prevent malicious input, the website developer should sanitise everything the user enters before using it in the JavaScript function; in this case, the developer could remove any HTML tags. \u4e00\u822c\u89c4\u5219\u662f\u6c38\u8fdc\u4e0d\u8981\u4fe1\u4efb\u7528\u6237\u8f93\u5165\u3002\u4e3a\u4e86\u9632\u6b62\u6076\u610f\u8f93\u5165,\u7f51\u7ad9\u5f00\u53d1\u4eba\u5458\u5e94\u8be5\u5728 JavaScript \u51fd\u6570\u4e2d\u4f7f\u7528\u7528\u6237\u8f93\u5165\u7684\u6240\u6709\u5185\u5bb9\u4e4b\u524d\u8fdb\u884c\u6e05\u7406;\u5728\u8fd9\u79cd\u60c5\u51b5\u4e0b,\u5f00\u53d1\u4eba\u5458\u53ef\u4ee5\u5220\u9664\u4efb\u4f55 HTML \u6807\u7b7e\u3002<\/p>\n
\n
![\"\"](\"2025-08-10gzzuhz5dvob.png\")
<\/p>\n
\n
![\"\"](\"2025-08-100qiibafkikq.png\")
<\/p>\n
<a href='http:\/\/hacker.com'> <\/p>\n
\n
![\"\"](\"2025-08-100hjll1wpbqy.png\")
<\/p>\n
\n
![\"\"](\"2025-08-10v0jqiucvaga.png\")
<\/p>\n
\n
![\"\"](\"2025-08-10bke3lkukhvd.png\")
<\/p>\n
![\"\"](\"2025-08-10etsswf4myve.png\")
<\/p>\n
| \n \u6587\u4ef6\u683c\u5f0f<\/p>\n<\/td>\n | \n \u5e38\u7528\u540e\u7f00<\/p>\n<\/td>\n | \n \u6587\u4ef6\u5934 (Hex)<\/p>\n<\/td>\n | \n \u6587\u4ef6\u5c3e (Hex)<\/p>\n<\/td>\n | \n \u8bf4\u660e<\/p>\n<\/td>\n<\/tr>\n | |||||||||||||||
| \n JPEG<\/p>\n<\/td>\n | \n .jpg\/.jpeg<\/p>\n<\/td>\n | \n FF D8 FF<\/p>\n<\/td>\n | \n FF D9<\/p>\n<\/td>\n | \n \u56fe\u50cf\u538b\u7f29\u6807\u51c6<\/p>\n<\/td>\n<\/tr>\n | |||||||||||||||
| \n PNG<\/p>\n<\/td>\n | \n .png<\/p>\n<\/td>\n | \n 89 50 4E 47<\/p>\n<\/td>\n | \n 00 00 00 00 49 45 4E 44 AE 42 60 82<\/p>\n<\/td>\n | \n \u65e0\u635f\u4f4d\u56fe\u683c\u5f0f<\/p>\n<\/td>\n<\/tr>\n | |||||||||||||||
| \n BMP<\/p>\n<\/td>\n | \n .bmp<\/p>\n<\/td>\n | \n 42 4D (BM)<\/p>\n<\/td>\n | \n \u65e0\u56fa\u5b9a\u6587\u4ef6\u5c3e<\/p>\n<\/td>\n | \n Windows \u4f4d\u56fe\u683c\u5f0f<\/p>\n<\/td>\n<\/tr>\n | |||||||||||||||
| \n GIF<\/p>\n<\/td>\n | \n .gif<\/p>\n<\/td>\n | \n 47 49 46 38 (GIF8)<\/p>\n<\/td>\n | \n 3B<\/p>\n<\/td>\n | \n \u52a8\u56fe\u683c\u5f0f<\/p>\n<\/td>\n<\/tr>\n | |||||||||||||||
| \n XML<\/p>\n<\/td>\n | \n .xml<\/p>\n<\/td>\n | \n 3C 3F 78 6D 6C (<?xml)<\/p>\n<\/td>\n | \n \u65e0\u56fa\u5b9a\u6587\u4ef6\u5c3e<\/p>\n<\/td>\n | \n \u7ed3\u6784\u5316\u6570\u636e\u6807\u8bb0\u8bed\u8a00<\/p>\n<\/td>\n<\/tr>\n | |||||||||||||||
| \n HTML<\/p>\n<\/td>\n | \n .html\/.htm<\/p>\n<\/td>\n | \n 3C 21 44 4F 43 \u6216 68 74 6D 6C<\/p>\n<\/td>\n | \n \u65e0\u56fa\u5b9a\u6587\u4ef6\u5c3e<\/p>\n<\/td>\n | \n \u8d85\u6587\u672c\u6807\u8bb0\u8bed\u8a00<\/p>\n<\/td>\n<\/tr>\n | |||||||||||||||
| \n MS Office<\/p>\n<\/td>\n | \n .doc\/.xls<\/p>\n<\/td>\n | \n D0 CF 11 E0<\/p>\n<\/td>\n | \n FD FF FF FF (FAT\u6587\u4ef6\u5c3e)<\/p>\n<\/td>\n | \n \u65e7\u7248Office\u4e8c\u8fdb\u5236\u683c\u5f0f<\/p>\n<\/td>\n<\/tr>\n | |||||||||||||||
| \n MS Access<\/p>\n<\/td>\n | \n .mdb<\/p>\n<\/td>\n | \n 53 74 61 6E 64 61 72 64 20 4A<\/p>\n<\/td>\n | \n \u65e0\u56fa\u5b9a\u6587\u4ef6\u5c3e<\/p>\n<\/td>\n | \n Access\u6570\u636e\u5e93\u683c\u5f0f<\/p>\n<\/td>\n<\/tr>\n | |||||||||||||||
| \n PDF<\/p>\n<\/td>\n | \n .pdf<\/p>\n<\/td>\n | \n 25 50 44 46 2D 31 2E<\/p>\n<\/td>\n | \n 25 25 45 4F 46 (%%EOF)<\/p>\n<\/td>\n | \n \u8de8\u5e73\u53f0\u6587\u6863\u683c\u5f0f<\/p>\n<\/td>\n<\/tr>\n | |||||||||||||||
| \n ZIP<\/p>\n<\/td>\n | \n .zip<\/p>\n<\/td>\n | \n 50 4B 03 04<\/p>\n<\/td>\n | \n 50 4B 05 06<\/p>\n<\/td>\n | \n \u538b\u7f29\u6587\u4ef6\u683c\u5f0f<\/p>\n<\/td>\n<\/tr>\n | |||||||||||||||
| \n RAR<\/p>\n<\/td>\n | \n .rar<\/p>\n<\/td>\n | \n 52 61 72 21 1A 07 00<\/p>\n<\/td>\n | \n C4 3D 7B 00<\/p>\n<\/td>\n | \n WinRAR\u538b\u7f29\u683c\u5f0f<\/p>\n<\/td>\n<\/tr>\n | |||||||||||||||
| \n WAV<\/p>\n<\/td>\n | \n .wav<\/p>\n<\/td>\n | \n 52 49 46 46 xx xx xx xx 57 41 56 45<\/p>\n<\/td>\n | \n \u65e0\u56fa\u5b9a\u6587\u4ef6\u5c3e<\/p>\n<\/td>\n | \n \u97f3\u9891\u6ce2\u5f62\u683c\u5f0f<\/p>\n<\/td>\n<\/tr>\n | |||||||||||||||
| \n AVI<\/p>\n<\/td>\n | \n .avi<\/p>\n<\/td>\n | \n 52 49 46 46 xx xx xx xx 41 56 49 20<\/p>\n<\/td>\n | \n \u65e0\u56fa\u5b9a\u6587\u4ef6\u5c3e<\/p>\n<\/td>\n | \n \u97f3\u89c6\u9891\u5bb9\u5668\u683c\u5f0f<\/p>\n<\/td>\n<\/tr>\n | |||||||||||||||
| \n TIFF<\/p>\n<\/td>\n | \n .tif\/.tiff<\/p>\n<\/td>\n | \n 49 49 2A 00 \u6216 4D 4D 00 2A<\/p>\n<\/td>\n | \n 00 00 00 00<\/p>\n<\/td>\n | \n \u9ad8\u8d28\u91cf\u56fe\u50cf\u683c\u5f0f<\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n \u6587\u4ef6\u5934\u5c3e\u8bf4\u660e:<\/p>\n \n \u6587\u4ef6\u540e\u7f00\u4e13\u4e1a\u89e3\u6790<\/h4>\n |
| \n \u7279\u6027<\/p>\n<\/td>\n | \n Windows<\/p>\n<\/td>\n | \n Linux\/macOS<\/p>\n<\/td>\n<\/tr>\n |
| \n \u540e\u7f00\u4f9d\u8d56\u5ea6<\/p>\n<\/td>\n | \n \u9ad8\u5ea6\u4f9d\u8d56(\u9690\u85cf\u5df2\u77e5\u6269\u5c55\u540d)<\/p>\n<\/td>\n | \n \u53ef\u9009(\u4e3b\u8981\u9760MIME\u7c7b\u578b)<\/p>\n<\/td>\n<\/tr>\n |
| \n \u4fee\u6539\u540e\u679c<\/p>\n<\/td>\n | \n \u5bfc\u81f4\u5173\u8054\u7a0b\u5e8f\u9519\u8bef<\/p>\n<\/td>\n | \n \u4e0d\u5f71\u54cd\u6587\u4ef6\u5185\u5bb9\u8bc6\u522b<\/p>\n<\/td>\n<\/tr>\n |
| \n \u5b89\u5168\u98ce\u9669<\/p>\n<\/td>\n | \n \u9ad8\u5371(\u5982:virus.txt.exe)<\/p>\n<\/td>\n | \n \u8f83\u4f4e(\u9700+x\u6743\u9650\u624d\u53ef\u6267\u884c)<\/p>\n<\/td>\n<\/tr>\n |
| \n \u9ed8\u8ba4\u5904\u7406<\/p>\n<\/td>\n | \n \u6839\u636e\u540e\u7f00\u9009\u62e9\u7a0b\u5e8f<\/p>\n<\/td>\n | \n \u6839\u636e\u6587\u4ef6\u7b7e\u540d+MIME\u7c7b\u578b<\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n 2. \u6587\u4ef6\u8bc6\u522b\u4f18\u5148\u7ea7<\/h5>\n\u5728\u6570\u5b57\u53d6\u8bc1\u4e2d\u6309\u4ee5\u4e0b\u987a\u5e8f\u5224\u65ad\u6587\u4ef6\u7c7b\u578b:<\/p>\n \n \u6587\u4ef6\u7b7e\u540d\u5b9e\u6218\u5e94\u7528<\/h4>\n |