HTMLPurifier 不工作?
我正在对 HTMLPurifier 进行一些测试,以确保一切按预期工作。我正在使用 http://ha.ckers.org/xss.html 中的示例。我认为我编码的所有内容都是“正确的”,但我能够直接通过 xxs 示例之一。有人可以帮助我吗?
这是页面 common1.php,它声明了一个函数并处理数据:
$config = HTMLPurifier_Config::createDefault();
// configuration goes here:
$config->set('Core.Encoding', 'UTF-8'); // replace with your encoding
$config->set('HTML.Doctype', 'XHTML 1.0 Strict'); // replace with your doctype
function purify($data){
$purifier = new HTMLPurifier($config);
// untrusted input HTML
$pure_html = htmlspecialchars($purifier->purify($data));
return $data;
}
?>
这是我的调试脚本,它尝试(并成功 0_o)传递 xxs:
<?php
include('common1.php');
$t = "<IMG \"\"\"><SCRIPT>alert(\"XSS\")</SCRIPT>\">";
echo purify($t);
?>
I'm putting HTMLPurifier through some tests to make sure that everything works as expected. I'm using examples from http://ha.ckers.org/xss.html. I think everything I coded is 'correct' but I am able to pass one of the xxs examples right through. Can anybody assist me?
Here is the page common1.php it declares a function and processes the data:
$config = HTMLPurifier_Config::createDefault();
// configuration goes here:
$config->set('Core.Encoding', 'UTF-8'); // replace with your encoding
$config->set('HTML.Doctype', 'XHTML 1.0 Strict'); // replace with your doctype
function purify($data){
$purifier = new HTMLPurifier($config);
// untrusted input HTML
$pure_html = htmlspecialchars($purifier->purify($data));
return $data;
}
?>
And here is my debug script that attempts (and succeeds 0_o) in passing xxs:
<?php
include('common1.php');
$t = "<IMG \"\"\"><SCRIPT>alert(\"XSS\")</SCRIPT>\">";
echo purify($t);
?>
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
您将返回未纯化的标记。更改您的退货声明:
You're returning the unpurified markup. Change your return statement: