In this paper, the method of thinkphp2.x protection against XSS cross-site attack is described. Share to everyone for your reference. Specific as follows:
has been using thinkphp2.x, through the dark cloud has submitted to the thinkphp XSS attack bug, take the time to read it.
The principle is to pass the URL into the script tag, thinkphp the exception error page directly output script.
Principle:
Http://ask.lenovo.com.cn/index.php?s=1%3Cbody+onload=alert (1)%3e
Where the value of M is a non-existent module, and is a complete script, implemented in the exception error page to implement XSS cross-site attacks.
Precautionary approach:
Find exception error page template ThinkException.tpl.php (2,x), THINK_EXCEPTION.TPL (3.x) There are two places to modify:
The 57th line copies the code code as follows: Echo ($_server[' php_self ')
Instead, copy the Code code as follows: Echo strip_tags ($_server[' php_self ')
The 62nd line copies the code code as follows: Echo $e [' message ']
Instead, copy the Code as follows: Echo strip_tags ($e [' message '])
In addition, thinkphp since 3.0 officially has been on the TP variable group_name,module_name,action_name,__url__,__self__,__app__,$_server[' PHP_SELF '] Do a safe handling.
PS: Security is not the responsibility of the framework, we should pay attention to when developing.
It is hoped that this article is helpful to the PHP program design based on thinkphp framework.