下面是被调用的URL:
https://xyz.abc.com/gadgets/proxy?container=default&debug=0&nocache=0&refresh=86400&html_tag_context=img&url=w49y1<a+href%3da+onmouseover%3dalert(1);>ClickMe</a>d6zjo
响应为:
Invalid request url scheme in url: vdfv; only "http" and "https" supported.
标题:
General:
Request Method: GET
Status Code: 400 Bad Request
Remote Address: 10.78.95.57:8445
Referrer Policy: no-referrer-when-downgrade
Response Headers:
Cache-Control: public,max-age=1
Connection: close
Content-Length: 95
Date: Thu, 16 May 2019 07:34:30 GMT
Expires: Thu, 16 May 2019 07:34:31 GMT
Server:
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
Request Headers:
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Accept-Encoding: gzip, deflate, br
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Cache-Control: no-cache
Connection: keep-alive
Pragma: no-cache
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.131 Safari/537.36
在浏览器中呈现响应时,将添加pre标签。
<pre style="word-wrap: break-word; white-space: pre-wrap;">Invalid url: w49y1&lt;a href=a onmouseover=alert(1);&gt;ClickMe&lt;/a&gt;d6zjo</pre>
此预标签如何/为什么/来自何处?
答案 0 :(得分:0)
如果响应为文本/纯文本,则浏览器将添加PRE标签。
在上述问题中,在渲染时添加了pre标签。因为未指定Content-Type,因此可以将其视为文本/纯文本。
提示:最好发送带有预期/相关内容类型的响应。