커뮤니티

고용노동부, 산업인력공단과 함께하는 강원도 유일한 기업중심 IT전문교육기관 ICT융합캠퍼스만의 특별한교육입니다.
공인 IT숙련기술인의 다양한 접근방법으로 전문가다운 실무교육을 받을 수 있습니다.

Category

교육강좌

WEB WEB2 - Node.js - MySQL - 보안 - Escaping

페이지 정보

작성자 관리자 댓글 0건 조회 6,660회 작성일 20-06-03 15:38

본문

보안 - Escaping

수업소개

공격의 의도를 가진 자바스크립트 코드를 입력해서 이 코드를 웹 브라우저로 실행할 때 공격목적을 달성하는 공격 기법을 Cross site scripting (XSS) 이라고 합니다. 이를 막는 방법을 살펴보겠습니다. 

 

 

 

강의

 

 

 

소스코드

변경사항

전체 소스 코드 다운로드

author.js

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
var db = require('./db');
var template = require('./template.js');
var qs = require('querystring');
var url = require('url');
var sanitizeHtml = require('sanitize-html');
exports.home = function(request, response){
db.query(`SELECT * FROM topic`, function(error,topics){
db.query(`SELECT * FROM author`, function(error2,authors){
var title = 'author';
var list = template.list(topics);
var html = template.HTML(title, list,
`
${template.authorTable(authors)}
<style>
table{
border-collapse: collapse;
}
td{
border:1px solid black;
}
</style>
<form action="/author/create_process" method="post">
<p>
<input type="text" name="name" placeholder="name">
</p>
<p>
<textarea name="profile" placeholder="description"></textarea>
</p>
<p>
<input type="submit" value="create">
</p>
</form>
`,
``
);
response.writeHead(200);
response.end(html);
});
});
}
exports.create_process = function(request, response){
var body = '';
request.on('data', function(data){
body = body + data;
});
request.on('end', function(){
var post = qs.parse(body);
db.query(`
INSERT INTO author (name, profile)
VALUES(?, ?)`,
[post.name, post.profile],
function(error, result){
if(error){
throw error;
}
response.writeHead(302, {Location: `/author`});
response.end();
}
)
});
}
exports.update = function(request, response){
db.query(`SELECT * FROM topic`, function(error,topics){
db.query(`SELECT * FROM author`, function(error2,authors){
var _url = request.url;
var queryData = url.parse(_url, true).query;
db.query(`SELECT * FROM author WHERE id=?`,[queryData.id], function(error3,author){
var title = 'author';
var list = template.list(topics);
var html = template.HTML(title, list,
`
${template.authorTable(authors)}
<style>
table{
border-collapse: collapse;
}
td{
border:1px solid black;
}
</style>
<form action="/author/update_process" method="post">
<p>
<input type="hidden" name="id" value="${queryData.id}">
</p>
<p>
<input type="text" name="name" value="${sanitizeHtml(author[0].name)}" placeholder="name">
</p>
<p>
<textarea name="profile" placeholder="description">${sanitizeHtml(author[0].profile)}</textarea>
</p>
<p>
<input type="submit" value="update">
</p>
</form>
`,
``
);
response.writeHead(200);
response.end(html);
});
});
});
}
exports.update_process = function(request, response){
var body = '';
request.on('data', function(data){
body = body + data;
});
request.on('end', function(){
var post = qs.parse(body);
db.query(`
UPDATE author SET name=?, profile=? WHERE id=?`,
[post.name, post.profile, post.id],
function(error, result){
if(error){
throw error;
}
response.writeHead(302, {Location: `/author`});
response.end();
}
)
});
}
exports.delete_process = function(request, response){
var body = '';
request.on('data', function(data){
body = body + data;
});
request.on('end', function(){
var post = qs.parse(body);
db.query(
`DELETE FROM topic WHERE author_id=?`,
[post.id],
function(error1, result1){
if(error1){
throw error1;
}
db.query(`
DELETE FROM author WHERE id=?`,
[post.id],
function(error2, result2){
if(error2){
throw error2;
}
response.writeHead(302, {Location: `/author`});
response.end();
}
)
}
);
});
}

 

template.js

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
var sanitizeHtml = require('sanitize-html');
module.exports = {
HTML:function(title, list, body, control){
return `
<!doctype html>
<html>
<head>
<title>WEB1 - ${title}</title>
<meta charset="utf-8">
</head>
<body>
<h1><a href="/">WEB</a></h1>
<a href="/author">author</a>
${list}
${control}
${body}
</body>
</html>
`;
},list:function(topics){
var list = '<ul>';
var i = 0;
while(i < topics.length){
list = list + `<li><a href="/?id=${topics[i].id}">${sanitizeHtml(topics[i].title)}</a></li>`;
i = i + 1;
}
list = list+'</ul>';
return list;
},authorSelect:function(authors, author_id){
var tag = '';
var i = 0;
while(i < authors.length){
var selected = '';
if(authors[i].id === author_id) {
selected = ' selected';
}
tag += `<option value="${authors[i].id}"${selected}>${sanitizeHtml(authors[i].name)}</option>`;
i++;
}
return `
<select name="author">
${tag}
</select>
`
},authorTable:function(authors){
var tag = '<table>';
var i = 0;
while(i < authors.length){
tag += `
<tr>
<td>${sanitizeHtml(authors[i].name)}</td>
<td>${sanitizeHtml(authors[i].profile)}</td>
<td><a href="/author/update?id=${authors[i].id}">update</a></td>
<td>
<form action="/author/delete_process" method="post">
<input type="hidden" name="id" value="${authors[i].id}">
<input type="submit" value="delete">
</form>
</td>
</tr>
`
i++;
}
tag += '</table>';
return tag;
}
}

 

  • 트위터로 보내기
  • 페이스북으로 보내기
  • 구글플러스로 보내기

답변목록

등록된 답변이 없습니다.