简体繁体中英

XSS attack from url get variable

原文 2014-02-19 14:13:38 1 2 javascript/ php

I have a site fetch data from database and create a links to next page

The links page will required page_id and it will display title on url bar

<a href=example.php?page=2&title=foo">click</a>

The URL will display:

example.php?page=2&title=foo

page_id will be number only but title can be anything.

My questions are:

What if user save javascript:alert() into title?
Will it run script from URL?
Is there anything else I should take care of?

2 answers

you should use:

urlencode to encode query parameters,
htmlspecialchars to escape content typed by user inside html
binding parameters to sql statements to avoid sql injection
( http://www.php.net/manual/en/mysqli.quickstart.prepared-statements.php )

浏览器不应该也不应（至少IE11不会）执行onclick属性中的javascript。

prevent url from xss attack in javascript

XSS Attack for Modifying the URL

How to protect against Encoded URL XSS Attack

Does url-shortening prevent XSS attack?

Protecting access token from XSS attack

How to prevent XSS attack from the ASP

Detecting DOM XSS attack

Preventing XSS Attack on Form

XSS attack prevention

How is this XSS attack working?

暂无

暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question prevent url from xss attack in javascript XSS Attack for Modifying the URL How to protect against Encoded URL XSS Attack Does url-shortening prevent XSS attack? Protecting access token from XSS attack How to prevent XSS attack from the ASP Detecting DOM XSS attack Preventing XSS Attack on Form XSS attack prevention How is this XSS attack working?

Related Tags

粤ICP备18138465号 © 2020-2024 STACKOOM.COM