|

楼主 |
发表于 2023-4-22 16:22:18
|
显示全部楼层
- <?php
- /**
- * Created by runner.han
- * There is nothing new under the sun
- */
- $SELF_PAGE = substr($_SERVER['PHP_SELF'],strrpos($_SERVER['PHP_SELF'],'/')+1);
- if ($SELF_PAGE = "xss_03.php"){
- $ACTIVE = array('','','','','','','','active open','','','','','','','','','active','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','');
- }
- $PIKA_ROOT_DIR = "../../";
- include_once $PIKA_ROOT_DIR.'header.php';
- $html='';
- if(isset($_GET['submit'])){
- if(empty($_GET['message'])){
- $html.="<p class='notice'>叫你输入个url,你咋不听?</p>";
- }
- if($_GET['message'] == 'www.baidu.com'){
- $html.="<p class='notice'>我靠,我真想不到你是这样的一个人</p>";
- }else {
- //输出在a标签的href属性里面,可以使用javascript协议来执行js
- //防御:只允许http,https,其次在进行htmlspecialchars处理
- // /http[s]{0,1}:\/\/([\w.]+\/?)\S*/
- // ^(http|https)://
- // /^([hH][tT]{2}[pP]:\/\/|[hH][tT]{2}[pP][sS]:\/\/)(([A-Za-z0-9-~]+)\.)+([A-Za-z0-9-~\/])+$/
- [color=Red]这里写PHP代码[/color]
- $message=htmlspecialchars($_GET['message'],ENT_QUOTES);
- $html.="<a href='{$message}'> 阁下自己输入的url还请自己点一下吧</a>";
- }
- }
- ?>
- <div class="main-content">
- <div class="main-content-inner">
- <div class="breadcrumbs ace-save-state" id="breadcrumbs">
- <ul class="breadcrumb">
- <li>
- <i class="ace-icon fa fa-home home-icon"></i>
- <a href="xss.php">xss</a>
- </li>
- <li class="active">xss之href输出</li>
- </ul><!-- /.breadcrumb -->
- <a href="#" style="float:right" data-container="body" data-toggle="popover" data-placement="bottom" title="tips(再点一下关闭)"
- data-content="a标签里面的href,img里面的src属性,有什么特殊的么">
- 点一下提示~
- </a>
- </div>
- <div class="page-content">
- <div id="xssr_main">
- <p class="xssr_title">请输入一个你常用的网站url地址,我就知道你是什么人</p>
- <form method="get">
- <input class="xssr_in" type="text" name="message" />
- <input class="xssr_submit" type="submit" name="submit" value="submit" />
- </form>
- <?php
- echo $html;
- ?>
- </div>
- </div><!-- /.page-content -->
- </div>
- </div><!-- /.main-content -->
- <?php
- include_once $PIKA_ROOT_DIR.'footer.php';
- ?>
复制代码
这是代码 |
|