如何在AJAX调用中执行标记，而不在客户端JS中进行任何更改

[
    {
        "Book ID": "1",
        "Book Name": "UNIX **<script type='text/javascript'>alert('test')</script>**",
        "Category": "Computers",
        "Price": "113"
    }, 
    {
        "Book ID": "2",
        "Book Name": "Book two",
        "Category": "Programming",
        "Price": "562"
    }
]

This is the JSON I am sending via API I am sharing with multiple people. When I parse the JSON using JavaScript, <script> tag is not executed. What are the modification should I make in the JS injected into JSON so that <script> tag will be executed without doing any extra work at client side JS. Is it possible?

这是我通过API发送的JSON，我与多人共享。当我使用JavaScript解析JSON时，不会执行

2 个解决方案

#1

It is not possible.

这不可能。

If the techniques you are using to insert that code into the document do not trigger the JS, than changing what you are inserting won't fix that.

如果您用于将该代码插入到文档中的技术不会触发JS，那么改变您插入的内容将无法解决这个问题。

#2

You have two options:

你有两个选择：

Find a flaw in the client page and exploit it, for example, if the client js get's the API answer and prints it in a <label> tag unsanitized, you could send something like </label><script>alert(1)</script><label> so your script would close the label, inject your script and open it again.

找到客户端页面中的缺陷并利用它，例如，如果客户端js得到API答案并将其打印在未标定的标签中，您可以发送类似

Or you could do a minimal modification in clientside and get the object from API as this:

或者您可以在客户端进行最小的修改，并从API获取对象：

{
    "Book ID": "1",
    "Book Name": "UNIX",
    "script": "alert('test')",
    "Category": "Computers",
    "Price": "113"
},

And then, in clientside run it with:

然后，在客户端运行它：

Function(obj.script)();

#1