0

Possible Duplicate:
What are the best practices for avoiding xss attacks in a PHP site

I have a php board but it contains XSS security leaks.

If I insert following XSS in url address field in the IE6,

http://x.x.x.x/xe/?mid=notice&category='"--></style></script><script>alert(0x000640)</script> (here '"--></style></script><script>alert(0x000640)</script> is a XSS code)

the browser shows alert message with 1600 (it translate the above code as script)

to prevent XSS, i inserted following codes (if(preg_match('/"/',$target)) return true; )

function _isHackedSrc($src) {  
    if(!$src) return false;  
    if($src) {  
     $target = trim($src);  
     if(preg_match('/(\s|(\&\#)|(script:))/i', $target)) return true;  
     if(preg_match('/data:/i', $target)) return true;  

        $url_info = parse_url($src);  
        $query = $url_info['query'];  
     if(!trim($query)) return false;  
     $query = str_replace("&amp;","&",$query);  
        $queries = explode('&', $query);  
        $cnt = count($queries);  
        for($i=0;$i<$cnt;$i++) {  
            $tmp_str = strtolower(trim($queries[$i]));  
            $pos = strpos($tmp_str,'=');  
            if($pos === false) continue;  
            $key = strtolower(trim(substr($tmp_str, 0, $pos)));      
            $val = strtolower(trim(substr($tmp_str,$pos+1)));  
            if( ($key=='module'&&$val=='admin') || ($key=='act'&&preg_match('/admin/i',$val)) ) return true;  
        }
    }
    return false;
}

but it dosent work. please help me

4

2 回答 2

1

不要尝试检查任何输入是否有恶意内容 - 这是你永远输掉的战斗。

相反,您需要正确转义任何输入。对于 HTML,正确的函数是htmlspecialchars().

于 2012-09-07T11:03:17.743 回答
-4

尝试这个:

function _isHackedSrc($src) {  
    $src=trim(strip_tags(addslashes($src))); 
    ....
}

更多信息:http ://r00tsecurity.org/forums/topic/9924-workaround-strip-tags-and-addslashes-in-the-xss/

于 2012-09-07T11:02:59.680 回答