Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

申请友链存在xss漏洞 #118

Closed
thiscodecc opened this issue Oct 7, 2019 · 1 comment
Closed

申请友链存在xss漏洞 #118

thiscodecc opened this issue Oct 7, 2019 · 1 comment

Comments

@thiscodecc
Copy link

在前台申请友链的时候在url地址输入javascript:alert('xss');//http
1001

在后台查看的时候.点击这个url就会触发.
10002

10003

public function setUrlAttribute($value)
    {
        // 如果没有http 则补上http
        if (strpos($value, 'http') === false) {
            $value = 'http://' . $value;
        }

        $this->attributes['url'] = strtolower(rtrim($value, '/'));
    }

代码里判断URL时,只判断了字符串里面是否有http,没有则在开头位置拼接http。
没有判断字符串在http的位置,javascript:alert('xss');//http 那这样就绕过了,应该判断http要在字符串开始位置出现.

baijunyao added a commit that referenced this issue Oct 8, 2019
baijunyao added a commit that referenced this issue Oct 8, 2019
@baijunyao
Copy link
Owner

多谢反馈; 如果管理员在后台点击有问题的 URL 确实会被攻击; 修复了哈;

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants