需要帮助纠正我的代码中的XSS漏洞
[英]Need help correcting an XSS vulnerability in my code
问题描述
It was brought to my attention that my image popup code is subject to an XSS attack.. I understand the issue, but as PHP is not my area of expertise, I am not sure how to correct it.. I've done a fair bit of searching here, but still am not fully clear on HOW to fix my code. 
引起我注意的是,我的图像弹出代码受到XSS攻击。.我理解这个问题,但是由于PHP不是我的专业领域,所以我不确定如何纠正它。在此处进行一些搜索,但在如何修复我的代码方面仍不完全清楚。
Here's the code that is problematic: 这是有问题的代码:
<?php
echo '<a href="javascript:window.close()">' . zen_image($_GET['products_image_large_additional'], $products_values->fields['products_name'] . ' ' . TEXT_CLOSE_WINDOW) . '</a>';
?>
How do I correct this code to correct the XSS vulnerability in it?? 如何更正此代码以更正其中的XSS漏洞?
2 个解决方案
解决方案1
0 2013-08-22 13:26:55
You're obviously getting the product's data on the server-side 您显然是在服务器端获取产品数据的
( $products_values->fields['products_name'] ), so why not get the image in the same way instead of passing it through $_GET ? ( $products_values->fields['products_name'] ),那么为什么不以相同的方式获取图像,而不是通过$_GET传递图像呢? That should fix your problem. 那应该解决您的问题。
解决方案2
0 2013-08-22 13:29:11
I'm not sure what zen_image expects/does, but you could escape the GET variables before passing them to the function. 我不确定zen_image期望/做什么,但是您可以在将GET变量传递给函数之前对其进行转义。
<?php
echo '<a href="javascript:window.close()">' . zen_image(strip_tags($_GET['products_image_large_additional']), $products_values->fields['products_name'] . ' ' . TEXT_CLOSE_WINDOW) . '</a>';
?>
I used the function strip_tags to remove any HTML tags. 我使用函数strip_tags删除了所有HTML标记。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.