For a simple input box, basically people who have learned html programming know how to write, but if you don't do some filtering, you may encounter XSS attacks by hackers, hackers can mount a series of Javascript scripts on your website , it is very likely to leak cookies for people who visit your website. If your input box is also associated with your database, the problem is even bigger.
A very simple XSS is shown in DVWA's XSS (Reflected). As shown in the figure, there is only one input box, enter something in the input box, click submit, and the web page will give feedback:
The code of this web page is as everyone thinks, very simple, as soon as the parameters are obtained, things will be reflected:
<?php
header ("X-XSS-Protection: 0");
// Is there any input?
if( array_key_exists( "name", $_GET ) && $_GET[ 'name' ] != NULL ) {
// Feedback for end user
$html .= '<pre>Hello ' . $_GET[ 'name' ] . '</pre>';
}
?>
But have you ever thought that if the parameter name is <script>XX</script>, then the html of the web page will become:
<pre>
Hello<script>XX</script>
</pre>Does the hacker want to write any script in XX? That is, in the input box, just write <script>XX</script>, for example, write <script>alert(1)</script> and click submit, the webpage will pop up a window, as shown in the following figure :
Obviously, hackers will definitely not write pop-up windows when attacking, of course, they will write some harmful scripts.
Therefore, we have to guard against all places where there is input on the website. A very useful function htmlspecialchars() is integrated in php, which can help us filter harmful characters such as <script>. Impossible in DVWA does this, the following code:
<?php
// Is there any input?
if( array_key_exists( "name", $_GET ) && $_GET[ 'name' ] != NULL ) {
// Check Anti-CSRF token
checkToken( $_REQUEST[ 'user_token' ], $_SESSION[ 'session_token' ], 'index.php' );
// Get input
$name = htmlspecialchars( $_GET[ 'name' ] );
// Feedback for end user
$html .= "<pre>Hello ${name}</pre>";
}
// Generate Anti-CSRF token
generateSessionToken();
?>
Of course, if the characters of your input box need to be entered into the database later, then the content of "[DVWA] SQL Injection" ( https://my.oschina.net/u/3776619/blog/1805225 ) must also be considered. The XSS (Stored) module of DVWA is a good comprehensive example, and you can continue to study if you are interested.