![]() ![]() ![]() ![]() |
|||||
|
|||||
樓主 言考 ![]()
![]() |
1.取代或過濾出現於輸入內容中的特殊字元,如:’、”、?、*、_、%、&、||、/、\、:、;、<、>、(、)等。 2.取代或過濾出現於輸入內容中的特殊html標籤,如:<script>、<iframe>、"等。 3.取代或過濾出現於輸入內容中的JavaScript事件標籤,如:onload、onclick、onfocus、onblur、onmouseover等。 4.以專業弱點掃描程式進行系統弱點掃描,若發現有其他弱點建議同時進行修補。 以下網頁有XSS跨網站指令碼漏洞,請問大大應該如何修補???? 請問應該如何修改才能補上漏洞,請大大直接給修改後編碼,謝謝 <!--#include file="../Connections/conn.asp" --> <!--#include file="../Connections/function.asp" --> <!--#include file="../sys/define/define.inc.asp" --> <!--#include file="../sys/define/menu.inc.asp" --> <!--#include file="../inc/get_mid2.inc.asp" --> <% table3="photo_album_tb" table1="photo_album_type_tb" type_select=false search_input=true keyword=replace(SQLinJ("keyword"),"%","") if keyword="" or keyword="請輸入關鍵字" then keyword_t="請輸入關鍵字" keyword="" else keyword_t=keyword table1="photo_view" SQL1=" and (title like '%"&keyword&"%' or title2 like '%"&keyword&"%' or content like '%"& keyword &"%') " end if act=replace(mstr,"&sid=","")&IIF(keyword<>"","&keyword="&keyword,"") %> <html lang="zh-TW"> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <head> <meta http-equiv="Content-Type" content="text/html; charset=big5"> <title><%=web_top_title%></title> <link href="../css/scroballbar.css" rel="stylesheet" type="text/css"> <link href="../css/text.css" rel="stylesheet" type="text/css"> <script src="../js/fontSL.js" type="text/javascript"></script> </head> <link rel="alternate stylesheet" type="text/css" href="../css/1-003.css" title="c3"> </link> <link rel="alternate stylesheet" type="text/css" href="../css/1-002.css" title="c2"> </link> <link rel="stylesheet" type="text/css" href="../css/1-001.css" title="c1"> </link><body> <table class="TH_index" height="10%" border="0" align="center" cellpadding="0" cellspacing="0" summary="排版用表格"> <tr> <td colspan="2"><!--#include file="../include/top.asp" --></td> </tr> <tr> <td class="menu_bg_style"><!--#include file="../include/menu.asp" --></td> <td class="main_bg_style" valign="top" align="center"> <!--內容開始--> <!--#include file="../include/main_top.asp" --> <!--#include file="../menu/type.inc.asp" --> <table width="100%" border="0" cellpadding="0" cellspacing="0" summary="排版用表格"> <tr> <td width="2%"></td> <td width="97%"><!--#include file="../menu/title.inc.asp" --></td> <td width="1%" align="right"></td> </tr> <tr> <td height="376" colspan="3" align="center" valign="top"><table width="95%" border="0" cellpadding="0" cellspacing="5" summary="排版用表格"> <% if keyword<>"" then '搜尋 SQL="select sid,title,img1 from "& table1 &" where (m2_id=" &m2 &") and display='Y' "& options & SQL1 &" group by sid,title,img1 " else SQL="select * from "& table1 &" where (m2_id=" &m2 &") and display='Y' "& options & SQL1 &" order by unit_orderID,sid desc " end if 'response.write SQL rs.open SQL,conn,1,1 '==分頁=============================================================== SetPageList 6 if not rs.eof then cc=true for pp=1 to rs.pagesize nUrl_id=act &"&sid="&rs(0) A_title=trim(rs("title")) A_title1=wordmark(left_chr(trim(rs("title")),12),keyword) clk=IIF(cc,"#FFFFFF","#EFEFEF") cc=not cc if trim(rs("img1"))="" or isnull(rs("img1")) then '無指定照片取得第一張照片================ img1="../img2/spacer.gif" SQLA="select top 1 img1 from " &table3 &" where sid=" &rs(0) &" order by unit_OrderID,id " rs1.open SQLA,conn,0,1 if not rs1.eof then img1=IIF(trim(rs1("img1"))<>"" ,http_path2 & rs1("img1"),img1) end if rs1.close else img1=http_path2 & rs("img1") end if '========================================= %> <tr> <td width="27%" align="center"><table border="0" cellspacing="0" cellpadding="0"> <tr> <td valign="top"><img src="../img/arr1_01.gif" alt="*" width="10" height="10"></td> <td valign="top" background="../img/arr1_02.gif"><img src="../img/arr1_02.gif" alt="*" width="3" height="10"></td> <td align="right" valign="top"><img src="../img/arr1_03.gif" alt="*" width="11" height="10"></td> </tr> <tr> <td valign="top" background="../img/arr1_04.gif"><img src="../img/arr1_04.gif" alt="*" width="10" height="1"></td> <td valign="top"><a href="index-1.asp?<%=nUrl_id%>"><img src="<%=img1%>" alt="<%=rs("title")%>" width="120" height="90" border="0"></a></td> <td align="right" valign="top" background="../img/arr1_05.gif"><img src="../img/arr1_05.gif" alt="*" width="11" height="2"></td> </tr> <tr> <td valign="top"><img src="../img/arr1_06.gif" alt="*" width="10" height="10"></td> <td valign="top" background="../img/arr1_07.gif"><img src="../img/arr1_07.gif" alt="*" width="2" height="10"></td> <td align="right" valign="top"><img src="../img/arr1_08.gif" alt="*" width="11" height="10"></td> </tr> </table></td> <td width="73%" valign="top"><table border="0" cellpadding="2" cellspacing="0" class="TH_TABLE100"> <tr> <td width="2%"><img src="../img/icon_01.gif" alt="*" width="16" height="16" align="absmiddle"></td> <td width="98%"><a href="index-1.asp?<%=nUrl_id%>" class="T95 bold bigsmall"><%=wordmark(rs("title"),keyword)%></a></td> </tr> <tr> <td> </td> <td class="T75 bigsmall"><% if keyword="" then Response.Write(wordmark(left_chr(stripHTML(rs("content")),50),keyword)) else Response.Write(wordmark(left_chr(stripHTML(get_field_name("content","photo_album_type_tb","sid",rs(0))),50),keyword)) end if %></td> </tr> </table></td> </tr> <tr align="center"> <td colspan="2"><table border="0" cellpadding="0" cellspacing="0" class="TH_TABLE100"> <tr> <td background="../images/table-line.gif" style="background-repeat: repeat-x;"><img src="../img/spacer.gif" alt="*" width="3" height="3"></td> </tr> </table></td> </tr> <% rs.movenext if rs.eof then exit for end if next else Response.Write("<span class='bigsmall'>目前尚無資料...</span>") end if %> </table> <table width="95%" border="0" cellspacing="0" cellpadding="1"> <tr> <td align="center"><% Page_List page,rs.pagecount,act %></td> </tr> </table> <br> <!--#include file="../menu/gotop.asp" --></td> </tr> </table> <!--內容結束--> </td> </tr> <tr> <td colspan="2"><!--#include file="../include/down.asp" --></td> </tr> </table> </body> </html> |