为什么我的网站会提示"xssvuln"?当我使用jqueryui自动完成? [英] Why does my site alert "xssvuln" when I use jqueryui autocomplete?

查看:97
本文介绍了为什么我的网站会提示"xssvuln"?当我使用jqueryui自动完成?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我在网站上实现了jqueryui自动完成功能,但是当我加载该页面时,它会提示"xssvuln".但是当我尝试在localhost上运行我的网站时,没有问题.你能帮我解决这个问题吗?而且,我在ipage上运行我的网站.

I implement jqueryui autocomplete on my site but when i load that page, it alerts "xssvuln". but when i tried to run my site on localhost, theres no problem. Can you please help me fix this? And also, im running my site on ipage.

这是我的自动填充代码.

this is my js for autocomplete.

$.ajax({
type: 'post',
url: 'autocompleteCourse.php',
dataType: 'json',
success: function(data){
    var availableCourse = data;
    $( "#course" ).autocomplete({
        source: availableCourse,
        messages: {
            noResults: '',
            results: function() {}
        }
    });
    }
});

这是我的自动完成功能的php文件.

and this is my php file for autocomplete.

include'../utility/sqlcon.php';

$query = mysql_query("select * from autocomplete where input = 'course'") or die          (mysql_error());
while($q=mysql_fetch_array($query))
{
$courseOptions[] = $q['autoComplete'];
}

echo json_encode($courseOptions);

推荐答案

我猜想这与jQueryUI自动完成没有什么关系,但这可能表明有人以友好警告的方式入侵了您的网站.

I would guess that this has little to do with jQueryUI autocomplete, but is probably an indication that someone has hacked your site, albeit in a friendly-warning way.

这可能暗示有人设法将某些内容(例如<script>alert('xssvuln');</script>)放入您的数据库,这表明您的网站容易受到跨站点脚本注入.

It's probably a hint that someone's managed to get something into your database like <script>alert('xssvuln');</script> as an indication that your site is vulnerable to cross-site scripting injection.

您能否看一下实时页面的源代码,并查看xssvuln警报的来源?因为我怀疑这是自动完成,还是至少不是直接完成.如果在您使用自动完成功能时发生这种情况,我会检查搜索结果,以查找您在实时系统中要搜索的内容,以查看其中是否包含黑客放入的Javascript,然后将其插入页面中没有适当的转义.

Can you have a look at the source code to your live page, and see where the xssvuln alert is coming from? Because I doubt it's the autocomplete, or at least not directly. If it happens when you use the autocomplete, I'd check the search results for whatever you're searching for in your live system to see if they include some Javascript put in there by a hacker, which you're then inserting into your page without proper escaping.

例如:如果您的网站允许用户添加新内容,而您只是接受他们键入的任何内容,然后将其输出而无需进行任何工作来对其进行清理,请使用 htmlspecialchars() 等-然后,您必须意识到自己正在有效地允许任何人在互联网上向您的网站添加代码.

As an example: if your site lets your users add new content, and you simply accept anything they type, and then output it without doing any work to sanitise it -- removing script tags, using functions like htmlspecialchars() during output, etc. -- then you must realise that you're effectively allowing anyone on the internet to add code to your site.

黑客可以在他们正在探查的站点上快速测试XSS漏洞的方法之一是在站点上找到输入表单,并向其中添加脚本代码,以查看是否通过了未经验证的传递.因此他们可能会找到评论表单,然后输入:

One of the ways a hacker will quickly test for XSS vulnerability on a site they're probing is to find an input form on a site, and add script code to it, to see if it's passed through unsanitised. So they might find a comments form, and type:

<script>alert('xssvuln');</script>

...进入.如果他们然后在网站上查看评论页面,而不是在页面上看到 text <script>alert('xssvuln');</script>(例如,我们在Stack Overflow中所做的),他们会看到Javascript警报,他们知道您的网站容易受到攻击.

...into it. If they then view the comment page on the site and instead of seeing the text <script>alert('xssvuln');</script> on the page (as we do here in Stack Overflow, for example) they see a Javascript alert, they know your site is vulnerable.

所以,我的建议:

  • 找出警报的来源.很有可能是您数据库中用户提交的内容.
  • 阅读跨站点脚本.
  • 保护您的输入和输出免受这种Javascript注入.
  • 如有必要,清理数据库中的现有攻击.

这篇关于为什么我的网站会提示"xssvuln"?当我使用jqueryui自动完成?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
相关文章
PHP最新文章
热门教程
热门工具
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆