Details
URL encoded POST input NewTop1%24hidLogoUrl was set to " onmouseover=prompt(935845) bad="
The input is reflected inside a tag parameter between double quotes.
Request headers
POST /actionfornewcustomers.aspx HTTP/1.1
Content-Length: 560
Content-Type: application/x-www-form-urlencoded
(line truncated)
...2f%2fimg.f508.com%2fGoods_Pic%2fGDS_Preview%2f2010-11-17%2fC477585_ListPic20101117100
952.jpg%2chttp%3a%2f%2fimg.f508.com%2fGoods_Pic%2fGDS_Preview%2fc460266_ListPic.jpg%2cht
tp%3a%2f%2fimg.f508.com%2fGoods_Pic%2fGDS_Preview%2f2010-02-03%2fC787190_ListPic10020304
1825.jpg%2chttp%3a%2f%2fimg.f508.com%2fGoods_Pic%2fGDS_Preview%2fc659323_ListPic.jpg&Gds
Url=%2fNvZhuang%2fChenShan%2fC477585%2f%2c%2fNvZhuang%2fZhenZhiShan%2fC460266%2f%2c%2fNv
Zhuang%2fTXu%2fC787190%2f%2c%2fNvZhuang%2fChenShan%2fC659323%2f
Host: www.f508.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
主要看看Details下边的错误指的是什么意思,是post过去的数据可能被脚本攻击但是post过去的是写在隐藏域里边的:<!--LOGO连接-->
<input type="hidden" id="hidLogoUrl" runat="server" value="http://www.sdfd.com"/>
下边是LOGO显示的代码:
<li class="hp_logo"><a href="<%=strLogoUrl %>" title="<%= strLogoName %>">
<img src='<%=strLogoPath %>' alt="<%= strLogoName %>" /></a></li>
后台cs文件会对上述那个隐藏域做操作,是显示value里边的链接还是显示从数据库里边读的
现在我对此隐藏域进行了“过滤xss攻击脚本 ”,但是还会报出这个错误,有可能是从数据库里边读到的链接会造成xss攻击脚本?