Bug: V5.6 Cross Site Scripting Vulnerability #7
Comments
|
Thank you |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
{{ message }}
There is an xss vulnerability in your latest version of the v5.6
No security check in page phpmywind/admin/infolist_add.php
When I add a new article, I use "<script>alert(/xss/)</script>" as the title
then back to the PHPMYWIND/admin/infolist.php
background page executed a javascript script
javascript also executed on mainpage
Fix:
Strictly verify user input, you must perform strict checks and html escape escaping on all input scripts, iframes, etc. The input here is not only the input interface that the user can directly interact with, but also the variables in the HTTP request in the HTTP request, the variables in the HTTP request header, and so on.
Verify the data type and verify its format, length, scope, and content.
Not only need to be verified on the client side but also on the server side.
The output data should also be checked. The values in the database may be output in multiple places on a large website. Even if the input is coded, the security check should be performed at the output points.
The text was updated successfully, but these errors were encountered: