【www.bbyears.com--页面特效】
这种小问题却非常让人头疼,让我们来分析一下这个bug是怎么产生的?
phpcms是通过iframe一个评论页面到内容页实现评论功能的,这个评论页面的表单,提交到{APP_PATH}index.php?m=comment&c=index&a=post&commentid={$commentid}进行处理。
我们可以到comment模块的index控制器的post方法查看,看到_show_msg()方法,它又调用了showmessage()方法,showmessage()引入了提示模板:
代码如下function showmessage($msg, $url_forward = "goback", $ms = 600, $dialog = "") {
if(defined("IN_ADMIN")) {
include(admin::admin_tpl("showmessage", "admin"));
} else {
include(template("content", "message"));
}
exit;
}
然后我们打开模板下content下的message模板页面,页面的跳转都是它来实现的:
代码如下 如果您的浏览器没有自动跳转,请点击这里问题就在这里remove_xss(),我们看看remove_xss()方法:
代码如下 $parm1 = Array("javascript", "vbscript", "expression", "applet", "meta", "xml", "blink", "link", "script", "embed", "object", "iframe", "frame", "frameset", "ilayer", "layer", "bgsound", "title", "base");$parm2 = Array("onabort", "onactivate", "onafterprint", "onafterupdate", "onbeforeactivate", "onbeforecopy", "onbeforecut", "onbeforedeactivate", "onbeforeeditfocus", "onbeforepaste", "onbeforeprint", "onbeforeunload", "onbeforeupdate", "onblur", "onbounce", "oncellchange", "onchange", "onclick", "oncontextmenu", "oncontrolselect", "oncopy", "oncut", "ondataavailable", "ondatasetchanged", "ondatasetcomplete", "ondblclick", "ondeactivate", "ondrag", "ondragend", "ondragenter", "ondragleave", "ondragover", "ondragstart", "ondrop", "onerror", "onerrorupdate", "onfilterchange", "onfinish", "onfocus", "onfocusin", "onfocusout", "onhelp", "onkeydown", "onkeypress", "onkeyup", "onlayoutcomplete", "onload", "onlosecapture", "onmousedown", "onmouseenter", "onmouseleave", "onmousemove", "onmouseout", "onmouseover", "onmouseup", "onmousewheel", "onmove", "onmoveend", "onmovestart", "onpaste", "onpropertychange", "onreadystatechange", "onreset", "onresize", "onresizeend", "onresizestart", "onrowenter", "onrowexit", "onrowsdelete", "onrowsinserted", "onscroll", "onselect", "onselectionchange", "onselectstart", "onstart", "onstop", "onsubmit", "onunload");
这里只是节选,发现它把带有iframe的html给过滤掉了。这样跳转到之前的页面/index.php?m=comment&c=index&a=init&commentid=content_13-20-1&iframe=1,这里的iframe就不见了。再看看init方法:
代码如下 if (isset($_GET["iframe"])) {if (strpos($url,APP_PATH) === 0) {
$domain = APP_PATH;
} else { www.111cn.net
$urls = parse_url($url);
$domain = $urls["scheme"]."://".$urls["host"].(isset($urls["port"]) && !empty($urls["port"]) ? ":".$urls["port"] : "")."/";
}
include template("comment", "show_list");
} else {
include template("comment", "list");
}
就恍然大悟了,当iframe存在的时候,就调用show_list页面,否则就是“查看全部评论”的页面。
修改方法:
把message页面提示模板的remove_xss方法改成trim_script()方法:
if(is_array($str)){
foreach ($str as $key => $val){
$str[$key] = trim_script($val);
}
}else{
$str = preg_replace ( "/\<([\/]?)script([^\>]*?)\>/si", "<\\1script\\2>", $str );
$str = preg_replace ( "/\<([\/]?)iframe([^\>]*?)\>/si", "<\\1iframe\\2>", $str );
$str = preg_replace ( "/\<([\/]?)frame([^\>]*?)\>/si", "<\\1frame\\2>", $str );
$str = str_replace ( "javascript:", "javascript:", $str );
}
return $str;
}
用这个方法进行安全过滤。