sweetalert2 and xss
https://sweetalert2.github.io/#configuration
| html '' |
A HTML description for the popup. If text and html parameters are provided in the same time, html will be used. [Security] SweetAlert2 does NOT sanitize this parameter. It is the developer's responsibility to escape any user input when using the html option, so XSS attacks would be prevented. |
|
text '' |
A description for the popup. If text and html parameters are provided in the same time, html will be used. |
https://www.cnblogs.com/zx-admin/p/6009558.html
| html | false | 如果设置为true,将不转义标题和文本参数。 (如果您担心XSS攻击,请设置为false。) |
html默认是false,会自动做html encode。所以如果在asp.net mvc的cshtml中处理的话,需要启用html为true,因为mvc的框架本身会帮忙做html encode。
