Pci 合规性跨站点脚本 - 联系表
看了好久了,第一次发帖。我是 php 新手,希望有人能提供帮助。我在使用本网站的联系表单时遇到了 pci 合规性问题 教程 Stag 联系表单 Php Ajax Jquery 。我想知道我需要做什么才能符合要求,我使用控制扫描运行了代码,这就是返回的内容:
Summary:
Cross-Site Scripting
Risk: High (3)
Type: Fritko
Port: 80
Protocol: TCP
Threat ID: 300004
Information From Target:
Regular expression ".{0,1}'.{0,1}">" matched contents of /contactform.php/'">.
Query Parameters
Fritko - '">
Solution:
There are built in functions for different languages that may do the encoding for you. In PHP you can use the htmlspecialchars() function In .Net you can use the Server.HtmlEncode() function.Details:
XSS is a type of computer security vulnerability typically found
in web applications which allow code injection by malicious web
users into the web pages viewed by other users. Examples of such
code include HTML code and client-side scripts.
An attacker can use this vulnerability to completely alter the
layout of a particular page for a specific user or to force the
user to launch malicious javascript.
Cross site scripting occurs when user input is not properly
encoded by the application prior to display back to the user. In
order to fix this issue, the application developers must encode
most non-alphanumeric user-supplied data into their corresponding
HTML characters before the data is displayed back to the user. For
example, " would convert to " and < would convert
to <
There are built in functions for different languages that may do
the encoding for you. In PHP you can use the htmlspecialchars()
function In .Net you can use the Server.HtmlEncode() function.
在进行大量谷歌搜索时,我迷失了应该添加的内容以修复的问题。网站上的代码正是我使用的。你们能帮我解决这个问题吗?如果您访问该网站,您将能够查看完整的代码并帮助我,我将不胜感激!
Long time viewer, first time posting. I'm new to php and hope someone could be of assistance. I have a pci-compliance issue using a contact form from this website, Tutorial Stag Contact Form Php Ajax Jquery . I'd like to know what I need to do in order to be compliant, I ran the code with control scan and this is what was returned:
Summary:
Cross-Site Scripting
Risk: High (3)
Type: Fritko
Port: 80
Protocol: TCP
Threat ID: 300004
Information From Target:
Regular expression ".{0,1}'.{0,1}">" matched contents of /contactform.php/'">.
Query Parameters
Fritko - '">
Solution:
There are built in functions for different languages that may do the encoding for you. In PHP you can use the htmlspecialchars() function In .Net you can use the Server.HtmlEncode() function.Details:
XSS is a type of computer security vulnerability typically found
in web applications which allow code injection by malicious web
users into the web pages viewed by other users. Examples of such
code include HTML code and client-side scripts.
An attacker can use this vulnerability to completely alter the
layout of a particular page for a specific user or to force the
user to launch malicious javascript.
Cross site scripting occurs when user input is not properly
encoded by the application prior to display back to the user. In
order to fix this issue, the application developers must encode
most non-alphanumeric user-supplied data into their corresponding
HTML characters before the data is displayed back to the user. For
example, " would convert to " and < would convert
to <
There are built in functions for different languages that may do
the encoding for you. In PHP you can use the htmlspecialchars()
function In .Net you can use the Server.HtmlEncode() function.
While doing a lot of googling, I got lost in what I should add in order to fix the issue. The code from the website is exactly what I used. Can you guys help me on this? If you go to the website you'll be able to check out the complete code and help me, i'll greatly appreciate it!
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
尝试使用 htmlspecialchars()
这会将 HTML 转换为指定用于表示原始内容的特殊字符,而无需浏览器进行评估。这可以防止有人提交带有“姓名”或“电话号码”的表单,比如
在不转义 HTML 的情况下,如果将此数据输出到浏览器,则会出现安全问题。如果转义,则将显示实际文本而不是 iframe。 (正如本网站上的那样)
更改:
至:
Try using htmlspecialchars()
This will convert HTML into special characters designated to represent the originals without being evaluated by the browser. This prevents someone from submitting a form with a "name" or "phone number" of lets say
Without escaping the HTML, if this data is outputted to the browser it will be a security issue. If escaped, then the actual text will appear instead of an iframe. (just as it is on this site)
Change:
to: