2
我在基於wordpress的網站上有一個HTML表單,允許用戶查看與表單輸入相匹配的數據庫記錄。使用基於本教程的AJAX http://www.w3schools.com/ajax/ajax_aspphp.asp我有一個使用GET腳本在服務器上的PHP腳本的JavaScript。但javascript不允許通過XSS保護運行控制檯輸出如下由於XSS保護,Javascript未被執行
The XSS Auditor refused to execute a script in 'page' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
這是由我的javascript被調用引起的?
來源:
<html>
<head>
<script>
function showUser(degreecourse, Interest, gradyear){
var xmlHttp = new XMLHttpRequest();
xmlhttp.onreadystatechange=function()
{
if (xmlhttp.readyState==4 && xmlhttp.status==200)
{
document.getElementById("info").innerHTML=xmlhttp.responseText;
}
else{document.getElementById("info").innerHTML}="Error";
}
xmlhttp.open("GET","/getcandidates.php?q=degreecourse=" + escape(degreecourse) + "&Interest=" + escape(Interest) + "&gradyear=" + escape(gradyear),true);
xmlhttp.send();
return false;
}
</script>
</head>
<body>
Filter By:
<form >
<table>
<tbody>
<tr>
<td>Degree Course:</td>
<td><select name="degreecourse" onchange = "showUser(document.getElementById('degreecourse').value, document.getElementById('Interest').value, document.getElementById('gradyear').value)">
<option>Any</option><option>Archaeology</option><option>Biochemistry</option><option>Biology</option><option>Biomedical Sciences</option><option>Chemistry</option><option>Computer Science</option><option>Economics</option><option>Education</option><option>Electronics</option><option>English</option><option>Environmental Studies</option><option>History</option><option>History of Art</option><option>Language and Linguistic Studies</option><option>Law</option><option>Management</option><option>Mathematics</option><option>Medicine</option><option>Music</option><option>Nursing, Midwifery and Healthcare</option><option>Philosophy</option><option>Physics</option><option>Politics</option><option>Politics, Economics and Philosophy</option><option>Psychology</option><option>Social Policy and Social Work</option><option>Social and Political Sciences</option><option>Sociology</option><option>Theatre, Film and Television</option></select></td>
</tr>
<tr>
<td>Interest:</td>
<td><select name="Interest" onchange = "showUser(document.getElementById('degreecourse').value, document.getElementById('Interest').value, document.getElementById('gradyear').value)">
<option>Any</option><option>Management</option><option>Marketing<option>Technical</option>
</select>
</td>
</tr>
<tr>
<td>Graduating After:</td><td><input id="gradyear" type="number" value=2013 name="gradyear" onchange = "showUser(document.getElementById('degreecourse').value, document.getElementById('Interest').value, document.getElementById('gradyear').value)"/></td>
</tr>
</tbody>
</table>
</form>
<br>
<div id="info"><b>Person info will be listed here.</b></div>
</body>
</html>
的PHP文件返回一個HTML表連接到數據庫後,如下所示。
echo "<table border='1'>
<tr>
<th>Firstname</th>
<th>Lastname</th>
<th>Degree Subject</th>
<th>Email Address</th>
<th>Graduating Year</th>
<th>Interest</th>
<th>CV</th>
</tr>";
while($row = mysqli_fetch_array($result))
{
echo "<tr>";
echo "<td>" . $row['Forname'] . "</td>";
echo "<td>" . $row['Surname'] . "</td>";
echo "<td>" . $row['DegreeSubject'] . "</td>";
echo "<td>" . $row['EmailAddress'] . "</td>";
echo "<td>" . $row['GraduatingYear'] . "</td>";
echo "<td>" . $row['Interest'] . "</td>";
echo "<td><form action='www.yorkcommunityconsulting.co.uk/CVs/".$row['CVurl']."><input type='submit' value='See CV'></form></td>";
echo "</tr>";
}
echo "</table>";
'因爲它的源代碼在請求中被發現... ...什麼是URL? – SLaks
請不要使用或鏈接到w3學校的教程。他們本質上是垃圾。 –
http://www.yorkcommunityconsulting.co.uk/search-for-staff/這個問題可能是由於它是一個未公佈的wordpress草案。 –