JavaScriptµÄ Cross Site ½Å±¾×¢Èë·çÏÕ

    ½ñÌìÓÐÈËÀ´¹«Ë¾ÍÆÏúÍøÕ¾°²È«É¨ÃèÈí¼þ£¬ÑÝʾÁ˶ÔJSµÄ¿çÓò½Å±¾×¢Èë·çÏÕµÄɨÃ裬ÒÔǰûÒâʶµ½£¬½ñÌìÓÐËùÁ˽⡣Èç¹ûÄúµÄ³ÌÐòÒ³ÃæÓÐÒÔÏÂÇé¿ö£¬ÄÇôJS½Å±¾×¢ÈëµÄ·çÏվͺܴó£º
1£©Ò³Ãæ´ò¿ªÊ±£¬URL ÓÐij¸ö²ÎÊý£¬ÀýÈç XXPage.aspx?XXParam=XXValue
2£©aspxÒ³ÃæÀïÓÐÈçÏ´úÂ룺
<script>
    var p = "<%=Request["XXParam"];%>";
</script>
×¢Èë·çÏÕÈçÏ£º
1£©ºÚ¿Í¼ÙðÍøÕ¾Éí·Ý·¢ËÍÓʼþ¸øÓû§£¬Óû§´ò¿ªÍøÒ³Á´½Ó£¬Á´½ÓËäÈ»ÊÇÖ¸Ïò XXPage.aspx£¬µ« XXParam È´±»×öÁ˸ÄÔ죬ÀýÈ磺XXParam ±»ÉèÖÃΪ "; document.location.href = 'http://www.xxx.com/XXFakePage.aspx';//"¡£×¢Ò⣬ǰÃæµÄË«ÒýºÅÊÇÓÃÀ´ÆÁ±Î var p = " µÄ£¬ºóÃæ½ô½ÓמÍÊÇÒ»¸öJSÒ³ÃæÌøתÓï¾ä£»×îºóÃæµÄ //" ÊÇÓÃÀ´ÆÁ±Î JS ½Å±¾ÖеĺóÒýºÅµÄ¡£
Äã²Â½á¹û»áÔõôÑù£¿Ò³ÃæÖ±½Ó±»Ìøתµ½ http://www.xxx.com/XXFakePage.aspx£¬Èç¹ûÕâ¸öÒ³ÃæÊǼÙðҳÃ棬²¢ÇÒÕâ¸öÒ³ÃæÊÇǶÈëÔÚ Frameset ÀïµÄ£¬ÄÇÓû§»áÔÚºÁÎÞ¾õ²ìµÄÇé¿öÏ£¬°Ñ×¢ÈëÓû§Ãû¡¢ÃÜÂë¡¢ÒøÐп¨Õ˺ÅÃÜÂëÌá½»µ½¼ÙðҳÃæÉÏ£¡£¡
¶Ô²ß£º
·½·¨Ò»£º²»ÒªÓà <%=Request["XXParam"];%> À´½âÎö²ÎÊýÖµ£¬¶øÖ±½ÓÓà JS ½Å±¾´ÓURL»ñÈ¡²ÎÊýÖµ
·½·¨¶þ£º°Ñ²ÎÊýÖµÏÈ·ÅÔÚ HIDDEN ¿Ø¼þÀÀýÈç: <input type=hidden id=xxhid value="<%=Server.HtmlEncode(Request["XXParam"]);%>"> ÀȻºóÔÚ JS Àï¸ÄΪ var p = document.all.xxhid.value;
Ó¦¸Ã»¹ÓÐÆäËû·½·¨£¬ÒÔÉÏ·½·¨Ö»ÊÇʾÒ⣬ûÓÐÈ¥±àÒ룬½ö¹©²Î¿¼¡£