2013-12-19 94 views
0

我看到我的腳本容易受到XSS的攻擊,我是PHP新手,所以我真的不知道應該看哪裏。這裏是所有我使用代碼:對XSS的保護

<?php 
$host = $_SERVER['HTTP_HOST']; 
$map = opendir(gif); 
$m = 0; 
while(false !=($file = readdir($map))){ 
if($file != "." && $file != ".."){ 
$gif[$m]= $file; 
$m++; 
} 
} 
$random_gif=rand(0,count($gif)-1); 
?> 

&

<html> 
<head> 
    <meta http-equiv = "Content-Type" content = "text/html; charset=UTF-8"> 
    <title><?php echo $_GET['gif']; ?> - Xanu</title> 
</head> 
<body><center> 
<object width="650" height="650"> 
<embed src="gif/<?php echo $_GET['gif']; ?>" width="640" height="480"></embed> 
<br><b><font face="Arial"> 
     <font size="10"><?php echo $_GET['gif']; ?></font><br><br> 
     Link naar de bullshit die hier boven staat?<br> 
     <input type="text" size="55" name="giflink" value="http://<?php echo $host; ?  
>/file.php?gif=<?php echo $_GET['gif']; ?>"><br><br> 
<?php 
echo '<a href="http://'.$host.'/file.php?gif='.$gif[$random_gif].'">Klik hier voor  nieuwe bullshit!</a>'; 
?> 
+0

可能重複XSS漏洞?](http://stackoverflow.com/questions/5414962/protection-against-xss-exploits) – MeNa

回答

0

你發送$_GET['gif']回用戶,所以你應該使用htmlspecialchar

<?php echo htmlspecialchar($_GET['gif'] , ENT_QUOTES); ?> 
[防護的