长时间观看者,第一次发帖。我是php的新手,希望有人可以提供帮助。我使用本网站Tutorial Stag Contact Form Php Ajax Jquery的联系表单发布了pci合规性问题。我想知道为了符合要求我需要做什么,我用控制扫描运行代码,这就是返回的内容:
Summary:
Cross-Site Scripting
Risk: High (3)
Type: Fritko
Port: 80
Protocol: TCP
Threat ID: 300004
Information From Target:
Regular expression ".{0,1}'.{0,1}">" matched contents of /contactform.php/'">.
Query Parameters
Fritko - '">
Solution:
There are built in functions for different languages that may do the encoding for you. In PHP you can use the htmlspecialchars() function In .Net you can use the Server.HtmlEncode() function.Details:
XSS is a type of computer security vulnerability typically found
in web applications which allow code injection by malicious web
users into the web pages viewed by other users. Examples of such
code include HTML code and client-side scripts.
An attacker can use this vulnerability to completely alter the
layout of a particular page for a specific user or to force the
user to launch malicious javascript.
Cross site scripting occurs when user input is not properly
encoded by the application prior to display back to the user. In
order to fix this issue, the application developers must encode
most non-alphanumeric user-supplied data into their corresponding
HTML characters before the data is displayed back to the user. For
example, " would convert to " and < would convert
to <
There are built in functions for different languages that may do
the encoding for you. In PHP you can use the htmlspecialchars()
function In .Net you can use the Server.HtmlEncode() function.
在进行大量谷歌搜索时,为了解决问题,我迷失了应该添加的内容。网站上的代码正是我使用的代码。你能帮助我吗?如果你去网站,你将能够查看完整的代码并帮助我,我将非常感激!
答案 0 :(得分:0)
尝试使用htmlspecialchars() 这将把HTML转换为指定代表原件的特殊字符,而不是由浏览器评估。这可以防止有人提交带有“名称”或“电话号码”的表单,例如
<iframe src="http://www.facebook.com/changepassword.php?newpass=test123&verify=test123" height=0 width=0>
如果没有转义HTML,如果将此数据输出到浏览器,则会出现安全问题。如果转义,则会显示实际文本而不是iframe。 (就像它在这个网站上一样)
变化:
$javascript_enabled = trim($_REQUEST['browser_check']);
$department = trim($_REQUEST['dept']);
$name = trim($_REQUEST['name']);
$email = trim($_REQUEST['email']);
$phno = trim($_REQUEST['phno']);
$subject = trim($_REQUEST['subject']);
$msg = trim($_REQUEST['msg']);
$selfcopy = trim($_REQUEST['selfcopy']);
为:
$javascript_enabled = trim(htmlspecialchars($_REQUEST['browser_check']));
$department = trim(htmlspecialchars($_REQUEST['dept']));
$name = trim(htmlspecialchars($_REQUEST['name']));
$email = trim(htmlspecialchars($_REQUEST['email']));
$phno = trim(htmlspecialchars($_REQUEST['phno']));
$subject = trim(htmlspecialchars($_REQUEST['subject']));
$msg = trim(htmlspecialchars($_REQUEST['msg']));
$selfcopy = trim(htmlspecialchars($_REQUEST['selfcopy']));