[英]Contact Form input filtering
通过查看联系表,我发现了跨站点脚本漏洞,但是对如何解决此问题的知识不足。
受影响的参数:使用的名称向量:“>警报(document.cookie)找到的模式:\\”>警报(document.cookie)完全攻击:/ http:// ############### ### / contact.php [name = \\“> alert(document.cookie)&email =&message =]
受影响的参数:使用的电子邮件矢量:“>警报(document.cookie)找到的模式:\\”>警报(document.cookie)完全攻击:/ http:// ############### ### / contact.php [name =&email = \\“> alert(document.cookie)&message =]
受影响的参数:使用的消息向量:“>警报(document.cookie)找到的模式:\\”>警报(document.cookie)完全攻击:/ http:// ############### ### / contact.php [name =&email =&message = \\“> alert(document.cookie)]
我当前的表单代码如下所示
<?php
if (isset($_POST['submit'])) {
$error = "";
if (!empty($_POST['name'])) {
$name = $_POST['name'];
if (!preg_match('/^[a-zA-Z0-9]+$/i', $name)){
$error .= "The name you entered is not valid. <br/>";
}
} else {
$error .= "You didn't type in your name. <br />";
}
if (!empty($_POST['email'])) {
$email = $_POST['email'];
if (!preg_match("/^[_a-z0-9]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,3})$/i", $email)){
$error .= "The e-mail address you entered is not valid. <br/>";
}
} else {
$error .= "You didn't type in an e-mail address. <br />";
}
if (!empty($_POST['messagesubject'])) {
$messagesubject = $_POST['messagesubject'];
} else {
$error .= "You didn't type in a subject. <br />";
}
if (!empty($_POST['message'])) {
$message = $_POST['message'];
} else {
$error .= "You didn't type in a message. <br />";
}
if(($_POST['code']) == $_SESSION['code']) {
$code = $_POST['code'];
} else {
$error .= "The captcha code you entered does not match. Please try again. <br />";
}
if (empty($error)) {
$from = 'From: ' . $name . ' <' . $email . '>';
$to = "aaron@fosternetwork.co.uk";
$subject = strip_tags("CWS - Contact Us - \n" . $messagesubject);
$content = strip_tags("Name: " . $name . "\nSubject: " . $messagesubject . "\nMessage: \n" . $message);
$success = "<h2>Thank you! <span>Your message has been sent!</span></h2>";
mail($to,$subject,$content,$from);
$emailSent = true;
}
}
?>
形成
<form action="contact.php" method="post">
<label>Name:</label>
<input type="text" name="name" value="<?php if ($_POST['name']) { echo $_POST['name']; } ?>" />
<label>Email:</label>
<input type="text" name="email" value="<?php if ($_POST['email']) { echo $_POST['email']; } ?>" />
<label>Subject:</label>
<input type="text" name="messagesubject" value="<?php if ($_POST['messagesubject']) { echo $_POST['messagesubject']; } ?>" />
<label>Message:</label><br />
<textarea name="message" rows="20" cols="20"><?php if ($_POST['message']) { echo $_POST['message']; } ?></textarea>
<label>Please input the following code: <img src="captcha.php"></label>
<input type="text" name="code"> <br />
<button type="submit" class="colorButton" name="submit" value="Send message">Send Message</button>
</form>
任何帮助都非常感谢。
您的HTML代有一个缺陷:
value="<?php if ($_POST['name']) { echo $_POST['name']; } ?>"
您应该始终转义输出变量,即:
value="<?php if ($_POST['name']) { echo htmlspecialchars($_POST['name']); } ?>"
永远不要相信用户输入,有些人可以插入可能会危害系统或类似行为的javascript代码,这就是为什么您容易受到跨站点脚本攻击的影响,请清除通过此功能发布的输入:
function xss_protect($data, $strip_tags = false, $allowed_tags = "\"\'") {
if($strip_tags) {
$data = strip_tags($data, $allowed_tags . "<b>");
}
if(stripos($data, "script") !== false) {
$result = str_replace("script","scr<b></b>ipt", htmlentities($data, ENT_QUOTES,"UTF-8"));
} else {
$result = htmlentities($data, ENT_QUOTES, "UTF-8");
}
return $result;
}
要使用该功能,例如使用:
$code = xss_protect($_POST['code']);
您应该使用一些良好的编程习惯,例如:
初始化变量,这样,您总是可以打印一些东西,调试您将获得许多简单但令人讨厌的错误
$name = false;
$email = false;
$message = false;
$messagesubject = false;
如果要获取新值,请修改数据,例如根据情况从$ _POST获取数据。 如果以这种方式进行操作,那么在没有特定字段的数据的情况下,脚本将避免执行某些工作,并且您可以更轻松地控制脚本的流向和数据验证。
if ( isset( $_POST['name'] ) !== false ) {
// validate the content
$name = process_you_choose_to_clean( $_POST['name'] );
}
if ( isset( $_POST['email'] ) !== false ) {
// validate the content
$name = process_you_choose_to_clean( $_POST['email'] );
}
if ( isset( $_POST['message'] ) !== false ) {
// validate the content
$name = process_you_choose_to_clean( $_POST['message'] );
}
if ( isset( $_POST['messagesubject'] ) !== false ) {
// validate the content
$name = process_you_choose_to_clean( $_POST['messagesubject'] );
}
尽量避免在html部分中弄乱代码,如果您照顾好我之前提到的内容,类似的东西就可以很好地工作
<input type="text" name="name" value="<?php { echo( $name ); } ?>" />
关于清理,请考虑提到的选项,并使用PHP的filter_var选项
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.