有没有人帮忙看看,自己想写一个存储型xss评论区,结果插入JavaScript语句不会被当做JavaScript语句执行,代码如下
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Document</title>
</head>
<body>
<form action="xss.php" method="post">
<label>用户名:</label></br>
<input type="text" name="username"></br>
<label>评论:</label></br>
<input type="text" name="message"></br>
<input type="submit" value="提交">
</form>
<div id="container">
</div>
</body>
<script>
var div = document.getElementById('container');
window.onload = function showMessageList(){
fetch('show_message.php')
.then(response=>response.json())
.then(data=>{
data.forEach(message => {
var user = message.user;
var mes = message.message;
var create_div = document.createElement('div');
create_div.innerHTML = user + mes;
container.appendChild(create_div);
});
// document.getElementById('data_container').innerHTML = 'user:'+data['user']+';'+'message:'+data['message'];
// })
})
}
</script>
</html>
后端
<?PHP
$sql_server='127.0.0.1';
$sql_user = 'root';
$sql_passwd = 'root';
$sql_db = 'test';
$db_con = mysqli_connect($sql_server,$sql_user,$sql_passwd,$sql_db);
if(!$db_con){
die('连接失败'.mysqli_connect_error());
}
$sql2 = "select username,message from content;";
$query = $db_con->query($sql2);
$row = $query->fetch_all();
$list = [];
foreach($row as $mes){
$user=$mes[0];
$message = $mes[1];
$dir = ['user'=>$user,'message'=>$message];
array_push($list,$dir);
}
$json_str = json_encode($list);
header('Content-type:application/json');
echo $json_str;
?>