createTextNode对HTML注入和XSS完全安全吗?-IscreateTextNodecompletelysafefromHTMLinjection&XSS?

I'm working on a single page webapp. I'm doing the rendering by directly creating DOM nodes. In particular, all user-supplied data is added to the page by creating text nodes with document.createTextNode("user data").

我正在开发一个网页应用。我通过直接创建DOM节点来进行渲染。特别是，所有用户提供的数据都通过使用文档创建文本节点添加到页面中。createTextNode(“用户数据”)。

Does this approach avoid any possibility of HTML injection, cross site scripting (XSS), and all the other evil things users could do?

这种方法是否可以避免HTML注入、跨站点脚本(XSS)以及用户可以做的所有其他坏事?

1 个解决方案

document.createTextNode('');