直到最近,我才为这个类弄乱HTML或PHP。我的任务是使用漏洞工具来诊断问题,然后尝试修复它们。我发现最高的警报是跨站点脚本 (XXS( 警报。我已经阅读了这个漏洞,但发现它相当混乱地告诉我我实际需要做什么。代码如下:
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Form Login</title>
</head>
<body OnLoad="document.main.username.focus();">
<table >
<tr>
<td colspan="2">
<h4>Enter your Username and Email Address to continue</h4>
</td>
</tr>
<!-- create the main form with an input text box named uid and a password text box named mypassword -->
<form name="main" method="post" action="authcheck.php">
<tr>
<td>username:</td>
<td><input name="username" type="text" size="50"></td>
</tr>
<tr>
<td>Email Address:</td>
<td><input name="emailadd" type="text" size="50"></td>
</tr>
<tr>
<td colspan="2" align="center"><input name="btnsubmit" type="submit" value="Submit"></td>
</tr>
</table>
</form>
</body>
</html>
上面提到的下一个程序如下:
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>User Authenticate </title>
</head>
<body>
<?php
// Retrieve Post Data
$username = $_POST["username"];
$email = $_POST["emailadd"];
// Set the session information
session_start();
$_SESSION['appusername'] = $username;
$_SESSION['appemail'] = $email;
// Display the Session information
echo "<h3> Session Data </h3>";
echo "<table border='1'>";
echo "<tr>
<td>Username </td>
<td> Email </td>
</tr>";
echo "<tr>
<td>" . $_SESSION['appusername'] . "</td>";
echo "<td>" . $_SESSION['appemail']. "</td>";
echo "</tr>";
echo "</table>";
// Provide a button to logout
echo "<form name='logout' method='post' action='logout.php'>
<input name='btnsubmit' type='submit' value='Logout'>
</form>";
?>
</body>
</html>
当我按下提交按钮时,会生成该程序。
我真的只是想找出我应该尝试做什么来修复此错误。谢谢
因为您在此处打印出变量:
echo "<tr>
<td>" . $_SESSION['appusername'] . "</td>";
echo "<td>" . $_SESSION['appemail']. "</td>";
echo "</tr>";
为此,您需要删除 HTML 标记,并用 entites 替换它们。为此,您至少需要:
$username = htmlentites($_POST["username"]);
$email = htmlentities($_POST["emailadd"]);
但是,您应该使用filter_var做更多的事情。http://www.w3schools.com/php/filter_validate_email.asp :
$username = htmlentites($_POST["username"]);
if (!filter_var($email, FILTER_VALIDATE_EMAIL) === false)
{
//Bad email, so something else.
die('...');
}
$email = $_POST["emailadd"];
问题是在将用户名或密码写入该表之前,您无论如何都没有对其进行清理。
使用清理$username和$email变量
$username = htmlspecialchars($_POST['username']);
$email = htmlspecialchars($_POST['emailadd']);
或
$username = htmlentities($_POST['username']);
$email = htmlentities($_POST['emailadd']);
htmlentities(); 用 HTML 变体替换所有字符,而htmlspecialchars();替换少量字符。
请注意,这是清理 POST 数据的最基本形式。您可以查看此过滤器功能以进行更"复杂"的清理和验证。