아래는 내 서비스에 가입 할 때 사용자 정보를 저장하는 데 사용하려는 가입 양식 스 니펫입니다. 로그인 할 때 이름을 표시하고 악성 코드가 웹 브라우저에서 실행될 수있는 기회를 열어 둡니다. 문제는 악의적 인 코드가 입력에 주입되는 것을 방지하기 위해 사용자 입력을 어떻게 보호하고 nodej에서 실행되는 백엔드에 저장 되는가입니다. 당신이 나에게 모범을 보여줄 수 있습니까? 여기 내 가입 양식이 코드 삽입에 취약합니까? 그렇다면 어떻게해야합니까?
폼<div class="tab-form">
<div id="signup">
<h1>Sign up for the <span>Beta</span></h1>
<form action="/signup" method="post">
<div class="top-row">
<div class="field-wrap">
<label>First Name<span class="req">*</span></label>
<input type="text" name="f_Name" required autocomplete="off" />
</div>
<div class="field-wrap">
<label>Last Name<span class="req">*</span></label>
<input type="text" name="l_Name" required autocomplete="off"/>
</div>
</div>
<div class="field-wrap">
<label>Email<span class="req">*</span></label>
<input type="email" name="email" size="64" maxlength="64" required autocomplete="off"/>
</div>
<div class="field-wrap">
<label>Address<span class="req">*</span></label>
<input type="text" name="address" required autocomplete="off"/>
</div>
<div class="field-wrap">
<label>Address 2</label>
<input type="text" name="address_2"/>
</div>
<div class="field-wrap">
<label>City<span class="req">*</span></label>
<input type="text" name="city" required autocomplete="off"/>
</div>
<div class="field-wrap">
<label>Zip code<span class="req">*</span></label>
<input type="text" name="zip_code" required autocomplete="off"/>
</div>
<div class="field-wrap">
<label>Phone number<span class="req">*</span></label>
<input type="tel" name="phone_number" required autocomplete="off"/>
</div>
<div class="field-wrap">
<label>Password<span class="req">*</span></label>
<input type="password" name="password" required autocomplete="off"/>
</div>
<div class="button-container">
<button type="submit" class="button button-block"/>Sign Me Up!</button>
</div>
</form>
</div>
</div>
대한 클라이언트 측 코드이며, 여기서 데이터베이스에 사용자가 입력 한 값을 추가하는 서버 측 코드이다.
passport.use("local-signup", new LocalStrategy({
// Override username with email for authentication
usernameField: "email",
passwordField: "password",
passReqToCallback: true // Pass the entire request to the callback
},
function(req, email, password, done) {
// Async task
// User.findOne wont run unless data arrives
process.nextTick(function() {
// Find user that matches the email provided on forms
// Checks for an already existing user that matches the credentials
User.findOne({ "local.email" : email }, function(err, user) {
// Return error if one exists
if(err)
return done(err);
// Checks for the existance of a user matching the email provided
if(user) {
return done(null, false, req.flash("signupMessage", "Email already used."));
} else {
// If user with that email doesnt exists
// Generate a new user matching that email
var newUser = new User();
var firstname = req.body.f_Name;
var lastname = req.body.l_Name;
var address = req.body.address;
var address2 = req.body.address_2;
var city = req.body.city;
var zipcode = req.body.zip_code;
var phonenumber = req.body.phone_number;
var passwordHash = newUser.generateHash(password);
// Adds new credentials
newUser.local.email = firstname;
newUser.local.password = passwordHash;
newUser.local.phone_number = phonenumber;
newUser.local.zip_code = zipcode;
newUser.local.city = city;
newUser.local.address_2 = address2;
newUser.local.address = address;
newUser.local.l_Name = lastname;
newUser.local.f_Name = firstname;
// Save new credentials
newUser.save(function(err) {
if(err)
throw err;
return done(null, newUser);
});
}
});
});
}));