发布后忽略基本标签
在 Chrome 上,我收到错误 拒绝执行 JavaScript 脚本。在发布包含域名称的数据后,在 request. 中找到脚本的源代码(另请注意任一页面上都缺少 javascript)。
<form action="/badpage2.html" method="post">
<input type="hidden" name="name" value="href=%22http://www.w3.org/%22"/>
<input type="submit" name="submit"/>
</form>
<!DOCTYPE html>
<html>
<head>
<base href="http://www.w3.org/"/>
</head>
<body>
<img src="Icons/w3c_home" alt="">
</body>
</html>
如果您直接转到 badpage2.html ,图像将显示,但如果您通过badpage1.html,图像将不会显示(基本标记不起作用)。
这是 Chrome XSS 检测中的错误吗?如果不是,我该如何绕过这个?对发布的数据进行编码以绕过此过滤器似乎很愚蠢。
编辑:
就我而言,发送的帖子值是更新页面的部分内容。如果它包含恰好包含
On Chrome I'm getting an error Refused to execute a JavaScript script. Source code of script found within request. after posting data that contains the name of the domain (also note the lack of javascript on either page) .
<form action="/badpage2.html" method="post">
<input type="hidden" name="name" value="href=%22http://www.w3.org/%22"/>
<input type="submit" name="submit"/>
</form>
<!DOCTYPE html>
<html>
<head>
<base href="http://www.w3.org/"/>
</head>
<body>
<img src="Icons/w3c_home" alt="">
</body>
</html>
If you go directly to badpage2.html the image will show, but if you go to it via badpage1.html, the image will not show (base tag doesn't work).
Is this a bug in Chrome XSS detection? And if it's not, how would I bypass this? It seems silly to encode the posted data just to bypass this filter.
EDIT:
In my case, the post value sent is to update part of the content of the page. The problem comes if it contains happens to contain the domain name that is used in the <base> (as this example does) it will trigger the XSS detection which disables the <base> tag.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
我发现我可以发送自定义 HTTP 标头
X-XSS-Protection。我的 PHP 解决方案使用以下代码:
I found out that I can send the custom HTTP header
X-XSS-Protectionon the page that is being messed up due to the protection.I use the below code for my PHP solution: