XSS security and defense
Thinking
XSS defense general idea is: an input filter, the output of the encoding
filter: filter based on business needs, such as the output point of claim enter the phone number, phone number only allows the input digital format.
Escape: all output to the data output of the front end point are carried out according to escape, such as for output to the html html entity escaped escaped JS JS input to the inside ()
Bypassing Case
xss the href output bypass:
代码层面:`$html.=‘’<a href ='{message}'>`
message to the information submitted
javascript: alert (1111) is directly substituted into a different label which can be bypassed herf htmlspecialchars
solve
href后面一般去接网址
在用户输入的时候添加判断
只允许http,https开头其次再进行htmlspecialchar函数处理
xss bypass the output of js:
Code level:
<script>
$ms='11'</script><script>alert(1111)</script> ;
if($ms.length != 0){
if($ms == 'tmac'){
$('#fromjs').text('tmac确实厉害,看那小眼神..')
}else {
// alert($ms);
$('#fromjs').text('无论如何不要放弃心中所爱..')
}
}
</script>
payload is1'</script><script>alert(1111)</script>
Input to dynamically generate js form xss, javascript is not to interpret the tag with character entities, so to be translated js
if an entity encoded here, although the XSS problem can be solved, but the content of the entity encoded in js there will not be translated, this will lead to front-end functions can not be used, so here employ the use \ to escape special characters