我的搜索字段中有一个XSS漏洞,当我放入提示警报("XSS"(时,会出现窗口。我使用了vega和OWASP ZAP来知道我的错误在哪里,我已经检测到了,它在带下划线的代码中,但我不知道如何消毒,你能帮我吗?这是我的代码:
<?php
require_once("../include/pictures.php");
require_once("../include/comments.php");
require_once("../include/cart.php");
require_once("../include/html_functions.php");
require_once("../include/functions.php");
session_start();
if (!isset($_GET['query']))
{
http_redirect("/error.php?msg=Error, need to provide a query to search");
}
$pictures = Pictures::get_all_pictures_by_tag($_GET['query']);
?>
<?php our_header("", $_GET['query']); ?>
<div class="column prepend-1 span-24 first last">
<h2>Pictures that are tagged as '<?= $_GET['query'] ?>'</h2>
<?php thumbnail_pic_list($pictures); ?>
</div>
<?php our_footer(); ?>
我不能加下划线,需要消毒的代码是:
'<?= $_GET['query'] ?>'
使用此
htmlspecialchars($_GET['query'])