403如果输入包含“script” [英] 403 Forbidden if input contains "script"

问题描述

我面临一个有点奇怪的问题，我会很感激任何帮助。
我正在寻找一个页面提交谷歌Adsense代码，然后将其保存到数据库（我有一个输入字段接受GA代码和一个提交按钮，非常简单的形式）
事情是，如果输入字段包含< script>作为值，那么在提交表单时，我总是得到403禁止。
如果我尝试提交其他任何东西，它的工作正常，但我不明白为什么文本不能包含< script>。

I am facing one kinda odd problem and I'd appreciate any help. I am looking to have a page submit a Google Adsense code and then save it to the database (I have a input field to accept GA code and a submit button, very simple form) The thing is, I always get 403 forbidden when submiting a form, if input field contain "<script>" as a value. If I try to submit anything else it works fine, but I can't figure out why text must not contain "<script>".

注意：这对于mysql转义或类似的东西并不是问题，即使我注释掉完整的PHP代码，它也会发生。它看起来像POST不会接受这一点。

Note: it's not a problem with mysql escape or something similar, it happens even if I comment out complete PHP code. It just seems like POST won't accept this.

另一件要提到的是，这个问题不会发生在localhost（xampp）中，但只有在上传到Namecheap主机时才会发生。

Another thing to mention, this problem DOES NOT occurs in localhost (xampp), but only when uploaded to Namecheap hosting.

任何想法为什么会发生这种情况，以及如何制定解决方法？

Any ideas why this happens and how to make a workaround?

推荐答案

Namecheap可能在其服务器上配置了mod_security规则，以阻止包含标签的帖子，因为这些标签被允许发布回网页，如果web应用程序无法正确处理这些问题，就会打开严重的客户端脚本漏洞之门。如果这篇文章甚至可以将它转换为php（在你的情况下它不能），你应该可以调用htmlspecialchars或htmlentities来过滤掉它们。如果Namecheap正在为您做这件事，并且这是一个问题，那么除了更改主机之外，您可以做的事情不多，因为共享主机不允许您对服务器配置进行任何说明。

Namecheap has probably configured mod_security rules on their servers so to block posts which contain tags as these tags being allowed to be posted back to a webpage opens the door to very serious client side scripting vulnerabilities if the web app doesn't handle this correctly. If the post can even make it to php (which in your case it can't) you should be able to call htmlspecialchars or htmlentities on it to filter these out. If Namecheap is doing this for you and this is a problem then there's not much you can do other than changing hosts as shared hosting doesn't allow you any say over server configuration.

这篇关于403如果输入包含“script”的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！