我在基于wordpress的网站上有一个HTML表单,允许用户查看与表单输入相匹配的数据库记录。使用基于本教程的{AJ http://www.w3schools.com/ajax/ajax_aspphp.asp我有一个javascript,它在服务器上的php脚本上使用GET。但是,不允许通过XSS保护运行javascript控制台输出如下
The XSS Auditor refused to execute a script in 'page' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
这是由我的javascript调用方式引起的吗?
来源:
<html>
<head>
<script>
function showUser(degreecourse, Interest, gradyear){
var xmlHttp = new XMLHttpRequest();
xmlhttp.onreadystatechange=function()
{
if (xmlhttp.readyState==4 && xmlhttp.status==200)
{
document.getElementById("info").innerHTML=xmlhttp.responseText;
}
else{document.getElementById("info").innerHTML}="Error";
}
xmlhttp.open("GET","/getcandidates.php?q=degreecourse=" + escape(degreecourse) + "&Interest=" + escape(Interest) + "&gradyear=" + escape(gradyear),true);
xmlhttp.send();
return false;
}
</script>
</head>
<body>
Filter By:
<form >
<table>
<tbody>
<tr>
<td>Degree Course:</td>
<td><select name="degreecourse" onchange = "showUser(document.getElementById('degreecourse').value, document.getElementById('Interest').value, document.getElementById('gradyear').value)">
<option>Any</option><option>Archaeology</option><option>Biochemistry</option><option>Biology</option><option>Biomedical Sciences</option><option>Chemistry</option><option>Computer Science</option><option>Economics</option><option>Education</option><option>Electronics</option><option>English</option><option>Environmental Studies</option><option>History</option><option>History of Art</option><option>Language and Linguistic Studies</option><option>Law</option><option>Management</option><option>Mathematics</option><option>Medicine</option><option>Music</option><option>Nursing, Midwifery and Healthcare</option><option>Philosophy</option><option>Physics</option><option>Politics</option><option>Politics, Economics and Philosophy</option><option>Psychology</option><option>Social Policy and Social Work</option><option>Social and Political Sciences</option><option>Sociology</option><option>Theatre, Film and Television</option></select></td>
</tr>
<tr>
<td>Interest:</td>
<td><select name="Interest" onchange = "showUser(document.getElementById('degreecourse').value, document.getElementById('Interest').value, document.getElementById('gradyear').value)">
<option>Any</option><option>Management</option><option>Marketing<option>Technical</option>
</select>
</td>
</tr>
<tr>
<td>Graduating After:</td><td><input id="gradyear" type="number" value=2013 name="gradyear" onchange = "showUser(document.getElementById('degreecourse').value, document.getElementById('Interest').value, document.getElementById('gradyear').value)"/></td>
</tr>
</tbody>
</table>
</form>
<br>
<div id="info"><b>Person info will be listed here.</b></div>
</body>
</html>
连接到数据库后,PHP文件返回HTML表格。
echo "<table border='1'>
<tr>
<th>Firstname</th>
<th>Lastname</th>
<th>Degree Subject</th>
<th>Email Address</th>
<th>Graduating Year</th>
<th>Interest</th>
<th>CV</th>
</tr>";
while($row = mysqli_fetch_array($result))
{
echo "<tr>";
echo "<td>" . $row['Forname'] . "</td>";
echo "<td>" . $row['Surname'] . "</td>";
echo "<td>" . $row['DegreeSubject'] . "</td>";
echo "<td>" . $row['EmailAddress'] . "</td>";
echo "<td>" . $row['GraduatingYear'] . "</td>";
echo "<td>" . $row['Interest'] . "</td>";
echo "<td><form action='www.yorkcommunityconsulting.co.uk/CVs/".$row['CVurl']."><input type='submit' value='See CV'></form></td>";
echo "</tr>";
}
echo "</table>";
答案 0 :(得分:0)
在JavaScript 1.5版中不推荐使用escape()函数。请改用encodeURI()或encodeURIComponent()。我不确定它会让你到达你想要的地方,但至少可以解决部分问题。
您是否尝试过使用jQuery(GET / load)代替普通JS来查看是否得到相同的结果?
<option>标记未正确关闭(请参阅“营销”) else{document.getElementById("info").innerHTML="Error";}
instead of
else{document.getElementById("info").innerHTML}="Error";