Magento Xss预防 [英] Magento Xss Prevention

问题描述

有什么方法可以防止magento中的xss攻击吗?在我的本地主机中，我只是想检查一下如何防止xss攻击，例如，当用户在magento中注册时，我正在插入脚本，在名称字段中插入整个脚本时，我只是感到震惊，我已成功注册了仪表板屏幕截图

Is there any way to prevent xss attacks in magento? in my localhost i am just trying to check how to prevent xss attacks for example i am inserting a script when user register in magento, i am just shocked when inserting a whole script in the name field i am successfully registered my dashboard screenshot

刷新页面后，我得到另一个屏幕

after refreshing the page i got another screen

我只是想防止用户无法做到这一点.

I just want to prevent the user that no one can do like that.

请帮助我防止此类攻击.

Please help me prevent that types of attacks.

推荐答案

此外，这可能是模板问题.如果您的模板不能正确地转义用户输入，那么您最终将在数据库中产生垃圾.我也正在运行1.4.1.1，但是输入字段的过滤如下:

Also, this may be a template problem. If your template doesn't properly escape user input, you end up with garbage in your database. I'm running 1.4.1.1 as well, but the input fields are filtered as follows:

<li class="wide">
    <label for="street_1" class="required"><em>*</em><?php echo $this->__('Street Address') ?></label>
    <div class="input-box">
        <input type="text" name="street[]" value="<?php echo $this->htmlEscape($this->getAddress()->getStreet(1)) ?>" title="<?php echo $this->__('Street Address') ?>" id="street_1" class="input-text required-entry" />
    </div>
</li>

应该使用htmlEscape()函数来解决这些麻烦.在某些模板上，搜索字段中缺少该模板，使用它可能会得到可验证的XSS问题.

The htmlEscape() function is supposed to take care of the nasties. On some templates, it was missing from search fields and you could get a verifiable XSS problem using it.

这篇关于Magento Xss预防的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！