直到最近,我还没有和HTML或PHP混为一谈。我的任务是使用漏洞工具来诊断问题,然后尝试修复它们。我发现最高警报是一个跨站脚本(XXS)警报。我已经阅读了这个漏洞,但是在告诉我我真的需要做什么时发现它很混乱。代码如下:试图摆脱代码中的跨站点脚本(XXS)漏洞
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Form Login</title>
</head>
<body OnLoad="document.main.username.focus();">
<table >
<tr>
<td colspan="2">
<h4>Enter your Username and Email Address to continue</h4>
</td>
</tr>
<!-- create the main form with an input text box named uid and a password text box named mypassword -->
<form name="main" method="post" action="authcheck.php">
<tr>
<td>username:</td>
<td><input name="username" type="text" size="50"></td>
</tr>
<tr>
<td>Email Address:</td>
<td><input name="emailadd" type="text" size="50"></td>
</tr>
<tr>
<td colspan="2" align="center"><input name="btnsubmit" type="submit" value="Submit"></td>
</tr>
</table>
</form>
</body>
</html>
下一个节目上面的一个是指如下:当我按下提交按钮时生成
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>User Authenticate </title>
</head>
<body>
<?php
// Retrieve Post Data
$username = $_POST["username"];
$email = $_POST["emailadd"];
// Set the session information
session_start();
$_SESSION['appusername'] = $username;
$_SESSION['appemail'] = $email;
// Display the Session information
echo "<h3> Session Data </h3>";
echo "<table border='1'>";
echo "<tr>
<td>Username </td>
<td> Email </td>
</tr>";
echo "<tr>
<td>" . $_SESSION['appusername'] . "</td>";
echo "<td>" . $_SESSION['appemail']. "</td>";
echo "</tr>";
echo "</table>";
// Provide a button to logout
echo "<form name='logout' method='post' action='logout.php'>
<input name='btnsubmit' type='submit' value='Logout'>
</form>";
?>
</body>
</html>
此程序。
我真的只是想找出我应该试图解决这个错误。谢谢
你需要提供更多的代码和你正在得到什么错误...什么工具检查这个? – cmorrissey
我正在使用名为ZAP –
@RandyGilman的漏洞工具,如来自OWASP的ZAP? –