0
長時間查看器,首次發佈。我對PHP很陌生,希望有人能夠提供幫助。我有一個pci-compliance問題,使用本網站的聯繫表格Tutorial Stag Contact Form Php Ajax Jquery。我想知道我需要什麼才能做都符合,我跑了控制掃描代碼,這就是被退回:PCI合規性跨站腳本 - 聯繫表
Summary:
Cross-Site Scripting
Risk: High (3)
Type: Fritko
Port: 80
Protocol: TCP
Threat ID: 300004
Information From Target:
Regular expression ".{0,1}'.{0,1}">" matched contents of /contactform.php/'">.
Query Parameters
Fritko - '">
Solution:
There are built in functions for different languages that may do the encoding for you. In PHP you can use the htmlspecialchars() function In .Net you can use the Server.HtmlEncode() function.Details:
XSS is a type of computer security vulnerability typically found
in web applications which allow code injection by malicious web
users into the web pages viewed by other users. Examples of such
code include HTML code and client-side scripts.
An attacker can use this vulnerability to completely alter the
layout of a particular page for a specific user or to force the
user to launch malicious javascript.
Cross site scripting occurs when user input is not properly
encoded by the application prior to display back to the user. In
order to fix this issue, the application developers must encode
most non-alphanumeric user-supplied data into their corresponding
HTML characters before the data is displayed back to the user. For
example, " would convert to " and < would convert
to <
There are built in functions for different languages that may do
the encoding for you. In PHP you can use the htmlspecialchars()
function In .Net you can use the Server.HtmlEncode() function.
雖然做了很多谷歌搜索,我得到了什麼失去了我應該補充,以解決這個問題。網站的代碼正是我所使用的。你們能幫我解決嗎?如果你去了網站,你可以查看完整的代碼並幫助我,我將非常感激!
看起來已收集使用自動化工具這一信息。您需要手動查看所提供的信息是否爲誤報。因此,您需要首先了解XSS是什麼,並且需要學習(閱讀)有問題的代碼。兩者都是隻能由你自己完成的行爲(學習),這是太寬泛無法回答恕我直言。 – hakre