As the following example, the following code is available on the server:
The code is as follows |
Copy Code |
Index.php?s=1%3cbody+onload=alert (1)%3e Or article.php?title=<meta%20http-equiv= "Refresh"%20content= "0;" > |
Where the value of M is a nonexistent module and is a complete script that is executed in the exception error page to implement an XSS Cross-site attack.
Precautionary Method :
Find the Exception error page template ThinkException.tpl.php (2,x), THINK_EXCEPTION.TPL (3.x) has two places to modify:
The code is as follows |
Copy Code |
Line 57th Echo ($_server[' php_self ')) Change to echo strip_tags ($_server[' php_self ')) Line 62nd echo $e [' message '] Change to Echo strip_tags ($e [' message ']) |
In addition, the 3.0 authorities that are about to release the TP variable group_name,module_name,action_name,__url__,__self__,__app__,$_server[' php_self ' have been safely processed
thinkphp Official Build Justice
XSS (Cross-site scripting attacks) can be used to steal cookie information from other users, and to avoid such problems, you can use the following solution:
Filter all JavaScript scripts directly;
Escape HTML meta characters, using htmlentities, htmlspecialchars and other functions;
The extended function Library of the system provides the REMOVE_XSS method of XSS security filtering;
Some of the system variables accessed by the new version of the URL have been XSS processed.