emlog防止xss攻擊的方法:
給cookie設(shè)置上httponly檢查,操作步驟:
1.打開“include\lib\loginauth.php”文件,找到第134行的setAuthCookie函數(shù),改成以下代碼:
/**
* 寫用于登錄驗(yàn)證cookie
*
* @param int $user_id User ID
* @param bool $remember Whether to remember the user or not
*/
public static function setAuthCookie($user_login, $ispersis = false) {
if ($ispersis) {
$expiration = time() + 3600 * 24 * 30 * 12;
} else {
$expiration = null;
}
$auth_cookie_name = AUTH_COOKIE_NAME;
$auth_cookie = self::generateAuthCookie($user_login, $expiration);
setcookie($auth_cookie_name, $auth_cookie, $expiration,'/', '', false,true);
}
2.再將212行的genToken函數(shù)改為:
/**
* 生成token,防御CSRF攻擊
*/
public static function genToken() {
$token_cookie_name = 'EM_TOKENCOOKIE_' . md5(substr(AUTH_KEY, 16, 32) . UID);
if (isset($_COOKIE[$token_cookie_name])) {
return $_COOKIE[$token_cookie_name];
} else {
$token = md5(getRandStr(16));
setcookie($token_cookie_name, $token, 0, '/', '', false, true);
return $token;
}
}
3.保存修改即可給cookie設(shè)置上httponly檢查。