发布后忽略基本标签 [英] Ignoring base tag after post
问题描述
在Chrome上,我收到一个错误拒绝执行JavaScript脚本。在发布包含域名的数据后(也请注意在任一页面上缺少javascript),在请求中找到脚本的源代码。
On Chrome I'm getting an error Refused to execute a JavaScript script. Source code of script found within request. after posting data that contains the name of the domain (also note the lack of javascript on either page) .
<form action="/badpage2.html" method="post">
<input type="hidden" name="name" value="href=%22http://www.w3.org/%22"/>
<input type="submit" name="submit"/>
</form>
<!DOCTYPE html>
<html>
<head>
<base href="http://www.w3.org/"/>
</head>
<body>
<img src="Icons/w3c_home" alt="">
</body>
</html>
如果直接进入 badpage2.html 图片将显示,但如果您通过 badpage1.html 进入该图片,图片将不会显示(基本标记不起作用)。
If you go directly to badpage2.html the image will show, but if you go to it via badpage1.html, the image will not show (base tag doesn't work).
这是Chrome XSS检测中的错误吗?如果不是,我怎么会绕过这个?编辑发布的数据只是为了绕过这个过滤器似乎很愚蠢。
Is this a bug in Chrome XSS detection? And if it's not, how would I bypass this? It seems silly to encode the posted data just to bypass this filter.
编辑:
在我的情况下,发送的帖子值是更新页面的部分内容。如果它包含碰巧包含在< base> 中使用的域名(如本例所示),则会触发XSS检测,从而禁用< base> 标签。
In my case, the post value sent is to update part of the content of the page. The problem comes if it contains happens to contain the domain name that is used in the <base> (as this example does) it will trigger the XSS detection which disables the <base> tag.
推荐答案
自定义HTTP标头 X-XSS-Protection ,因为这个保护措施已经搞乱了页面。
I found out that I can send the custom HTTP header X-XSS-Protection on the page that is being messed up due to the protection.
我为我的PHP解决方案使用下面的代码:
I use the below code for my PHP solution:
header( "X-XSS-Protection: 0" );
这篇关于发布后忽略基本标签的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
