2

我在基于 wordpress 的网站上有一个 HTML 表单,允许用户查看与表单输入匹配的数据库记录。根据本教程使用 AJAX http://www.w3schools.com/ajax/ajax_aspphp.asp我有一个在服务器上的 php 脚本上使用 GET 的 javascript。但是 javascript 不允许通过 XSS 保护运行控制台输出如下

The XSS Auditor refused to execute a script in 'page' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.

这是由我的 javascript 的调用方式引起的吗?

资源:

<html>
<head>
<script>
function showUser(degreecourse, Interest, gradyear){
var xmlHttp = new XMLHttpRequest();
xmlhttp.onreadystatechange=function()
  {
  if (xmlhttp.readyState==4 && xmlhttp.status==200)
    {
    document.getElementById("info").innerHTML=xmlhttp.responseText;
    }
  else{document.getElementById("info").innerHTML}="Error";
  }
xmlhttp.open("GET","/getcandidates.php?q=degreecourse=" + escape(degreecourse) + "&Interest=" + escape(Interest) + "&gradyear=" + escape(gradyear),true);
xmlhttp.send();
return false;
}
</script>
</head>
<body>
Filter By:


<form >
<table>
<tbody>
<tr>
<td>Degree Course:</td>
<td><select name="degreecourse" onchange = "showUser(document.getElementById('degreecourse').value, document.getElementById('Interest').value, document.getElementById('gradyear').value)">
<option>Any</option><option>Archaeology</option><option>Biochemistry</option><option>Biology</option><option>Biomedical Sciences</option><option>Chemistry</option><option>Computer Science</option><option>Economics</option><option>Education</option><option>Electronics</option><option>English</option><option>Environmental Studies</option><option>History</option><option>History of Art</option><option>Language and Linguistic Studies</option><option>Law</option><option>Management</option><option>Mathematics</option><option>Medicine</option><option>Music</option><option>Nursing, Midwifery and Healthcare</option><option>Philosophy</option><option>Physics</option><option>Politics</option><option>Politics, Economics and Philosophy</option><option>Psychology</option><option>Social Policy and Social Work</option><option>Social and Political Sciences</option><option>Sociology</option><option>Theatre, Film and Television</option></select></td>
</tr>

<tr>
<td>Interest:</td>
<td><select name="Interest" onchange = "showUser(document.getElementById('degreecourse').value, document.getElementById('Interest').value, document.getElementById('gradyear').value)">
<option>Any</option><option>Management</option><option>Marketing<option>Technical</option>
</select>
</td>
</tr>

<tr>
<td>Graduating After:</td><td><input id="gradyear" type="number" value=2013 name="gradyear" onchange = "showUser(document.getElementById('degreecourse').value, document.getElementById('Interest').value, document.getElementById('gradyear').value)"/></td>
</tr>
</tbody>
</table>
</form>
<br>
<div id="info"><b>Person info will be listed here.</b></div>

</body>
</html>

PHP文件连接数据库后返回如下HTML表格。

echo "<table border='1'>
<tr>
<th>Firstname</th>
<th>Lastname</th>
<th>Degree Subject</th>
<th>Email Address</th>
<th>Graduating Year</th>
<th>Interest</th>
<th>CV</th>
</tr>";

while($row = mysqli_fetch_array($result))
  {
  echo "<tr>";
  echo "<td>" . $row['Forname'] . "</td>";
  echo "<td>" . $row['Surname'] . "</td>";
  echo "<td>" . $row['DegreeSubject'] . "</td>";
  echo "<td>" . $row['EmailAddress'] . "</td>";
  echo "<td>" . $row['GraduatingYear'] . "</td>";
  echo "<td>" . $row['Interest'] . "</td>";
  echo "<td><form action='www.yorkcommunityconsulting.co.uk/CVs/".$row['CVurl']."><input type='submit' value='See CV'></form></td>";
  echo "</tr>";
  }
echo "</table>";
4

1 回答 1

0

  1. 在 JavaScript 版本 1.5 中不推荐使用 escape() 函数。请改用 encodeURI() 或 encodeURIComponent()。我不确定它会带你去你想要的地方,但至少可以解决你的部分问题。

  2. 您是否尝试过使用 jQuery (GET/load) 而不是普通的 JS 来查看是否得到相同的结果?

  3. 您的<option>标签未正确关闭(请参阅“营销”)
  4. 我不是 JS 大师,但是,您不必稍后关闭您的“其他”吗?就像在:“错误”之后;而不是在“=”符号之前?
    else{document.getElementById("info").innerHTML="Error";}

    代替

    else{document.getElementById("info").innerHTML}="Error";
于 2014-04-23T12:25:22.070 回答