[更新]
我在我的PHP应用程序中使用mpfirewall但是当我提交用户表单时,我得到了XSS攻击。
该表单包含ckeditor textarea,它使用<p>等标记发送其值,触发xss检测
private function _ENTITIES() {
array_walk_recursive($_GET,get_class($this)."::_callHTMLENTITIES");
array_walk_recursive($_POST,get_class($this)."::_callHTMLENTITIES");
array_walk_recursive($_COOKIE,get_class($this)."::_callHTMLENTITIES");
}
private function _callHTMLENTITIES(&$item, $key) {
$item = htmlentities($item, ENT_QUOTES,'utf-8');
}
private function _XSS() {
array_walk_recursive($_GET,get_class($this)."::_callXSS");
array_walk_recursive($_POST,get_class($this)."::_callXSS");
array_walk_recursive($_COOKIE,get_class($this)."::_callXSS");
}
private function XSS() {
array_walk_recursive($_GET,get_class($this)."::_detectXSS");
array_walk_recursive($_POST,get_class($this)."::_detectXSS");
array_walk_recursive($_COOKIE,get_class($this)."::_detectXSS");
}
private function _callXSS(&$item, $key) {
$item = filter_var($item, FILTER_SANITIZE_STRING);
}
private function _detectXSS($item, $key) {
if ($item != strip_tags($item)) {
$this->write_logs("XSS");
die("xss attack");
}
}
HTML
<form action="" name="myForm" method="post">
<table>
<tr>
<td>Details</td>
<td><textarea name="desc" class="ckeditor" id="desc" >
</textarea><script type="text/javascript">CKEDITOR.replace('desc')</script></td>
</tr>
<tr>
<td></td>
<td><input name="save" id="save" type="submit" value="Next" /> </td>
</tr>
</table>
我不确定如何解决这个问题。