| tiêu đề | Philipinho Simple-PHP-Blog 1.0 Improper Neutralization of Alternate XSS Syntax |
|---|
| Mô tả | In Simple-PHP-Blog version 1.0, there is a Cross-Site Scripting (XSS) vulnerability in the login form. The username field uses the strip_tags() function to sanitize user input, which is insufficient to prevent XSS attacks. An attacker can inject JavaScript event handlers (e.g., onmouseover) or use JavaScript pseudo-protocols to bypass the strip_tags() filter. This vulnerability allows an attacker to execute arbitrary JavaScript code in the context of the victim's browser, potentially leading to session hijacking, defacement, or other malicious activities.
To fix this vulnerability, it is recommended to use htmlspecialchars() with the ENT_QUOTES flag and UTF-8 encoding when outputting user input in HTML contexts. This ensures that special characters are properly converted to HTML entities, neutralizing any attempt to inject JavaScript code. |
|---|
| Nguồn | ⚠️ https://gitee.com/sun-huizhi/dazhi/issues/IDBUOY |
|---|
| Người dùng | dazhi (UID 87857) |
|---|
| Đệ trình | 09/12/2025 09:58 (cách đây 6 các tháng) |
|---|
| Kiểm duyệt | 28/12/2025 17:03 (19 days later) |
|---|
| Trạng thái | được chấp nhận |
|---|
| Mục VulDB | 338608 [Philipinho Simple-PHP-Blog đến 94b5d3e57308bce5dfbc44c3edafa9811893d958 /login.php tên người dùng Tập lệnh chéo trang] |
|---|
| điểm | 20 |
|---|