douzhang1926 2009-01-16 19:21
浏览 27
已采纳

照顾XSS

I ran a pen-testing app and it found a ton of XSS errors, specfically, I'm guilty of echo'ing unverified data back to the browser through the querystring.

Specifically, running this puts javascript into my page. http://www.mywebsite.com/search.php?q=%00'" [ScRiPt]%20%0a%0d>alert(426177032569)%3B[/ScRiPt].

Thankfully, no where do I let users save data to a database and display back to other uesrs, so I THINK people would only be able to hack themselves with this problem, but I still want to fix it.

The recommendation is to do this:

echo htmlentities($_POST[‘input’], ENT_QUOTES, ‘UTF-8’);

But currently I need to get this patched up asap, then go fix on a case by case basis. I have a header file I include on every page on the site, I know it's bad form, but what could blow up if I did:

array_walk($_POST, 'htmlentities');

I'll need to do it for COOKIE and GET as well. I never use _REQUEST.

Thanks

  • 写回答

4条回答 默认 最新

  • dqkv0603 2009-01-16 22:54
    关注

    HTML-escaping on the way in is obviously The Wrong Thing, but could be a temporary fix until you replace the code with something proper. In the long term it would be unmaintainable and you'll have loads of weird application-level errors anywhere you start doing substring manipulations (including truncation, which your database may do automatically) across &-encoded characters. It's not that likely to lead to security breaches, although you can't tell without looking at the app in a lot more detail.

    If you start encoding things in $_SESSION each time, you'll get multiply-encoded too-long strings like & very quickly.

    I THINK people would only be able to hack themselves

    Or, an attacker on another web page could redirect or iframe to yours, with enough script injected to display a fake login box that looks just like your site's, harvest the username and password or automatically delete their account. Stuff like that. Not very good.

    The recommendation is to do this: echo htmlentities($_POST[‘input’], ENT _QUOTES, ‘UTF-8’);

    No need for htmlentities and all those parameters - use htmlspecialchars.

    You can save yourself a few keypresses using something like:

    function h($s) { echo(htmlspecialchars($s)); }
...
<?php h($POST['input']) ?>

    It's really not that much extra hassle.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(3条)

报告相同问题?

  • 照顾XSS php xss
    2009-01-16 19:21
    回答 4 已采纳 HTML-escaping on the way in is obviously The Wrong Thing, but could be a temporary fix until you r
  • php XSS攻击后该怎么办? php xss
    2016-02-09 10:34
    回答 1 已采纳 Ok, so wanted to share an update and close this. Here is what I did to overcome my server injectio
  • PHP_SELF和XSS [重复] php xss
    2011-05-21 10:33
    回答 2 已采纳 If you’re using AcceptPathInfo or something similar such that a URI like /index.php/foo/bar is dir
  • 月饼计划之XSS
    2021-04-02 14:49
    红酒味蛋糕_的博客 月饼计划之XSS 注:本文首发地址:https://www.sec-in.com 文章作者为-句芒安全实验室-成员之一,欢迎微信搜索关注我们。 计划制定 2020年9月的某一天,天朗气清,惠风和畅。我默默打开日历,打算看下今日运势,宜...
  • Yii上的XSS保护 php xss
    2015-04-23 10:47
    回答 4 已采纳 for all actions in same just add a event handle to onBeginRequest: $this->attachEventHandl
  • 如何设计一个xss过滤器 java xss
    2023-03-06 17:25
    回答 2 已采纳 满足要求的XSS过滤器,可以采取以下步骤: 首先,定义一个过滤器类,该类包含一个过滤方法,用于接受需要过滤的输入字符串,然后返回已过滤的字符串。在过滤方法中,首先将输入字符串转换为小写字母,以防止大小
  • XSS和file_get_contents? php xss
    2015-03-06 20:49
    回答 1 已采纳 Yes, looks secure enough, but still not perfect. You also need to call is_file() and ensure it ret
  • XSS漏洞的绕过策略
    2021-08-17 22:29
    山中雨客的博客 XSS漏洞的绕过策略防绕过语句绕过js代码显示在属性内大写绕过双写关键字javascript特殊事件javascript特殊事件 防绕过语句 htmlspecialchars()语句可以将<>等敏感字符改动为html字符实体,用于变量的处理上。 ...
  • XSS没有在表单上工作 html php xss
    2016-05-12 13:21
    回答 1 已采纳 Check the console tab in the developer tools of your browser. My guess is that your browser has XS
  • jquery dom型xss手工利用 javascript jquery xss 有问必答
    2022-06-07 17:34
    回答 2 已采纳 贴出来的代码没看到具体html操作,notice这个扩展应该用到相关的html方法,可能存在xss注入漏洞,检查notice扩展的代码,相关参考 jquery html方
  • 为什么我这个xss不运行 javascript xss 前端
    2022-09-19 20:45
    回答 3 已采纳 设置dom的innerHTML,里面的js代码并不会执行,虽然是蓝色的,vue的xss注入一般通过v-html绑定富文本,但是包含script不会执行改为dom事件,比如img的onerror事件来自
  • php如何异步,php的异步处理
    2021-05-08 12:03
    李大爷不注册不行吗的博客 C#异步编程(一) 异步编程简介 前言 本人学习.Net两年有余,是第一次写博客,虽然写的很认真,当毕竟是第一次,肯定会有很多不足之处, 希望大家照顾照顾新人,有错误之处可以指出来,我会虚心接受的. 何谓异步 与同步相对 ...
  • beef-xss打不开 apache linux php
    2023-03-08 23:03
    回答 2 已采纳 不知道你这个问题是否已经解决, 如果还没有解决的话: 给你找了一篇非常好的博客,你可以看看是否有帮助,链接:BeEF-XSS实验手记如果你已经解决了该问题, 非常希望你能够分享一下解决方案, 写成博客
  • 自动粘贴PHP,PHP来清理粘贴的Microsoft输入
    2021-03-23 12:54
    白告爱吃面的博客 有人知道图书馆/班级/功能会为我照顾这个吗?它必定是一个常见的问题,尽管我找不到任何确定的东西.我最近一直在想,一系列寻找特定于MS的模式的暴力正则表达式可能会成功,但我不想重新编写可能已经可用的东西,除非我...
  • 你好星球公司php,2020新春战疫公益CTF
    2021-04-24 02:28
    CodeWhiz的博客 可能出题人想照顾我们送的吧。 上传一句话php文件,菜刀连接后进入shell。在根目录执行即可 盲注 此题看似困难其实并非一道难题。题目刚放出来时在想bypass技巧,等后来想清楚了很快就能做出来。源码忘了copy了,但是...
  • 没有解决我的问题, 去提问

悬赏问题

  • ¥15 用hfss做微带贴片阵列天线的时候分析设置有问题
  • ¥50 我撰写的python爬虫爬不了 要爬的网址有反爬机制
  • ¥15 Centos / PETSc / PETGEM
  • ¥15 centos7.9 IPv6端口telnet和端口监控问题
  • ¥120 计算机网络的新校区组网设计
  • ¥20 完全没有学习过GAN,看了CSDN的一篇文章,里面有代码但是完全不知道如何操作
  • ¥15 使用ue5插件narrative时如何切换关卡也保存叙事任务记录
  • ¥20 海浪数据 南海地区海况数据,波浪数据
  • ¥20 软件测试决策法疑问求解答
  • ¥15 win11 23H2删除推荐的项目,支持注册表等