【发布时间】:2011-11-17 19:54:11
【问题描述】:
长期观看,第一次发帖。我是 php 新手,希望有人能提供帮助。我使用此网站上的联系表格Tutorial Stag Contact Form Php Ajax Jquery 遇到了 pci 合规问题。我想知道我需要做什么才能合规,我用控制扫描运行了代码,这就是返回的内容:
Summary:
Cross-Site Scripting
Risk: High (3)
Type: Fritko
Port: 80
Protocol: TCP
Threat ID: 300004
Information From Target:
Regular expression ".{0,1}'.{0,1}">" matched contents of /contactform.php/'">.
Query Parameters
Fritko - '">
Solution:
There are built in functions for different languages that may do the encoding for you. In PHP you can use the htmlspecialchars() function In .Net you can use the Server.HtmlEncode() function.Details:
XSS is a type of computer security vulnerability typically found
in web applications which allow code injection by malicious web
users into the web pages viewed by other users. Examples of such
code include HTML code and client-side scripts.
An attacker can use this vulnerability to completely alter the
layout of a particular page for a specific user or to force the
user to launch malicious javascript.
Cross site scripting occurs when user input is not properly
encoded by the application prior to display back to the user. In
order to fix this issue, the application developers must encode
most non-alphanumeric user-supplied data into their corresponding
HTML characters before the data is displayed back to the user. For
example, " would convert to " and < would convert
to <
There are built in functions for different languages that may do
the encoding for you. In PHP you can use the htmlspecialchars()
function In .Net you can use the Server.HtmlEncode() function.
在进行大量谷歌搜索时,我迷失了应该添加什么来解决问题。网站上的代码正是我使用的。你们能帮我解决这个问题吗?如果您访问该网站,您将能够查看完整的代码并帮助我,我将不胜感激!
【问题讨论】:
-
您似乎使用自动化工具收集了这些信息。您需要手动查看给出的信息是否为误报。因此,您首先需要了解 XSS 是什么,并且您需要学习(阅读)相关代码。两者都是只能由您自己完成的操作(学习),这太宽泛了,恕我直言。
标签: php jquery contact-form cross-site pci-compliance