Asp classic XSS验证差经典ASP
我在以下代码中遇到XSS验证不好的问题:Asp classic XSS验证差经典ASP,asp-classic,xss,Asp Classic,Xss,我在以下代码中遇到XSS验证不好的问题: <TABLE cellpadding=0 cellspacing=1 border=0 style="table-layout:fixed"> <col width=20%> <col width=13%> <col width=20%> <col width=13%> <col width=20%>
<TABLE cellpadding=0 cellspacing=1 border=0 style="table-layout:fixed">
<col width=20%>
<col width=13%>
<col width=20%>
<col width=13%>
<col width=20%>
<col width=13%>
<TR height=25>
<TD class=border_title_sub colspan=2 align=center>미작성</TD>
<TD class=border_title_sub colspan=2 align=center>임시저장중</TD>
<TD class=border_title_sub colspan=2 align=center>작성완료</TD>
</TR>
<%
do until (rs_1.EOF and rs_2.EOF and rs_3.EOF)
%>
<TR height=25>
<%
if rs_1.EOF then
%>
<TD class=border_text> </TD>
<TD class=border_text align=center> </TD>
<%
else
rs_1_check_name = rs_1("check_name")
rs_1_user_name = rs_1("user_name")
%>
<TD class=border_text><%=HTMLDecode(Server.HTMLEncode(rs_1_check_name))%></TD>
<TD class=border_text align=center><%=HTMLDecode(Server.HTMLEncode(rs_1_user_name))%></TD>
<%
end if
if rs_2.EOF then
%>
<TD class=border_text> </TD>
<TD class=border_text align=center> </TD>
<%
else
rs_2_check_name = rs_2("check_name")
rs_2_user_name = rs_2("user_name")
%>
<TD class=border_text><%=HTMLDecode(Server.HTMLEncode(rs_2_check_name))%></TD>
<TD class=border_text align=center><%=HTMLDecode(Server.HTMLEncode(rs_2_user_name))%></TD>
<%
end if
if rs_3.EOF then
%>
<TD class=border_text> </TD>
<TD class=border_text align=center> </TD>
<%
else
rs_3_check_name = rs_3("check_name")
rs_3_user_name = rs_3("user_name")
%>
<TD class=border_text><%=HTMLDecode(Server.HTMLEncode(rs_3_check_name))%></TD>
<TD class=border_text align=center><%=HTMLDecode(Server.HTMLEncode(rs_3_user_name))%></TD>
<%
end if
%>
</TR>
<%
if not rs_1.EOF then rs_1.movenext
if not rs_2.EOF then rs_2.movenext
if not rs_3.EOF then rs_3.movenext
loop
rs_1.close
rs_2.close
rs_3.close
set rs_1 = Nothing
set rs_2 = Nothing
set rs_3 = Nothing
%>
</TABLE>
미작성
임시저장중
작성완료
这里,HTMLDecode是我的自定义函数,定义如下:
<%
Function HTMLDecode(sText)
Dim I
sText = Replace(sText, """, Chr(34))
sText = Replace(sText, "<" , Chr(60))
sText = Replace(sText, ">" , Chr(62))
sText = Replace(sText, "&" , Chr(38))
sText = Replace(sText, " ", Chr(32))
For I = 1 to 255
sText = Replace(sText, "&#" & I & ";", Chr(I))
Next
HTMLDecode = sText
End Function
%>
多行发布。我必须问,示例行是-为什么打开了三个不同的记录集?理论上,将值传递到两个函数后,与直接写入记录集字段值相比,会得到完全相同的值。因为HtmlEncode将用“&;nbsp;替换“”,所以HTMLEDCODE函数将解码为“是”。我知道。但是,如何逃避安全扫描检查。数据库中的数据已经编码。如果我直接显示它,当它经过安全扫描时,我得到的是XSS:Consistent问题。若我只使用Server.HTMLEncode(“”),那个么显示中的数据就会损坏。所以我两者都用。现在,安全扫描给了我XSS:糟糕的验证问题。