保护联系表格 [英] Securing a Contact Form

问题描述

我有一个客户端，我用Wordpress创建了他们的网站。它具有使用联系表单7创建的联系表单。此客户端是IT部门在其子域上运行扫描的大型组织的子公司。要求我的客户保护Contact Form 7免受恶意脚本的攻击或将其删除。

I have a client whose website I created with Wordpress. It has a contact form created with contact form 7. This client is a subsidiary of a larger organization who's IT department runs scans on their subdomains. The asked my client to protect Contact Form 7 from malicious scripts or take it down.

当我询问他们测试的示例时，我的客户告诉我他们运行测试脚本是否可以插入输入（即：< script> alert（'hello'）;< / script> ）字段或作为网址string（即： www.mydomain.com/contact?<script>alert（'hello'）;< / script> ）。

When I asked for an example of what they tested, my client informed me that they run tests to see if a script could be inserted into a input (ie: <script>alert('hello');</script>) field or as a url string (ie: www.mydomain.com/contact?<script>alert('hello');</script>).

使用查询字符串，联系表单将操作设置为： action =/？scriptalert（'hello'）; / script＃wpcf7-f1-p6-o1 。我的第一个问题是，自<以来，这会伤害到什么并且>已从字符串中删除了？

With the query string, the contact form sets the action to: action="/?scriptalert('hello');/script#wpcf7-f1-p6-o1". My first question would be, will this harm anything since the "<" and ">" has been removed from the string?

如果是这样，我可以添加任何内容以删除在此联系表单中运行脚本的可能性吗？

If so, is there anything I can add to remove the possibility of running scripts in this contact form?

推荐答案

HTML编码是防止任何HTML / JS生效的一种方法。在页面中显示之前对任何用户提供的值进行编码是个好主意。

HTML Encoding is one way to prevent any HTML/JS from taking effect. It's a good idea to encode any user-supplied value before displaying it in the page.

参见 http://ca3.php.net/manual/en/function.htmlentities.php

这篇关于保护联系表格的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！