PHP vulnerability solution (IV)-xss Cross-Site Scripting

XSS (Cross Site Scripting) stands for Cross-Site Scripting attacks. To be different from Cascading Style Sheet (css ),

Cross-site Scripting is mainly used by attackers to read cookies or other personal data of website users. Once attackers obtain the data, they can pretend to be the user to log on to the website, obtain the permissions of this user.

Common steps for cross-site scripting attacks:

1. The attacker sends an http link of xss to the target user in some way.

2. The target user logs on to the website and opens the xss link sent by the attacker during the login.

3. The website executes the xss Attack Script.

4. The target user page jumps to the attacker's website. The attacker obtains the target user information.

5. Attackers use the information of the target user to log on to the website and complete the attack.

 

When a program with a Cross-Site vulnerability occurs, attackers can construct a http://www.sectop.com/search.php like this? Key =. After the user clicks, the cookie value can be obtained.

Defense methods:

Use the htmlspecialchars function to convert special characters into HTML encoding.

Function prototype

String htmlspecialchars (string, int quote_style, string charset)

String is the string to be encoded.

Quote_style is optional. The value can be ENT_COMPAT, ENT_QUOTES, and ENT_NOQUOTES. The default value is ENT_COMPAT, indicating that only double quotation marks are converted without single quotation marks. ENT_QUOTES, which indicates that both double quotation marks and single quotation marks must be converted. ENT_NOQUOTES, indicating that double quotation marks and single quotation marks are not converted

Charset (optional) indicates the character set used.

The function converts the following special characters into html encoding:

& --> &

"-->"

'-->'

<--> <

> -->

$ _ SERVER ["PHP_SELF"] Variable Cross-Site

In a form, if you submit a parameter to yourself, this statement is used.

$ _ SERVER ["PHP_SELF"] variable value: Current page name

Example:

Http://www.sectop.com/get.php

The preceding form in get. php

Then we submit

Http://www.sectop.com/get.php/>

Then the form becomes

"Method =" POST ">

The XSS script is inserted.

The defense method is to use htmlspecialchars to filter the output variables, or to submit them to the form of the file.

This prevents the $ _ SERVER ["PHP_SELF"] variable from being cross-site