开发者

Accepting Code Snippets in URL Query

开发者 https://www.devze.com 2023-02-23 19:54 出处:网络
I\'m trying to create a type of HTML editor app with a preview box. Everything is working fine, except I just added URL parameters/queries in this format.

I'm trying to create a type of HTML editor app with a preview box. Everything is working fine, except I just added URL parameters/queries in this format.

http://edit.mydomain.com/?code=%3Cp%3EWelcome!%3C%2Fp%3E&type=html

These are working fine until this gets added into it:

<script type="text/javascript">

Encoded, that would be

http://edit.mydomain.com/?code=%3Cscript%20type%3D%22text%2Fjavascript%22%3E&type=html

Unfortunately, going directly to that loads an infinite redirect error.

Next, I tried removing any .htaccess rewrite rules (because they really aren't needed on this particular p开发者_如何转开发age) I had which are:

RewriteEngine On
RewriteRule ^(.*)/$ /$1.php [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_URI} !(.*)/$
RewriteRule ^(.*)$ http://edit.mydomain.com/$1/ [R=301,L]

RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /(.*)\.php\ HTTP/ [NC]
RewriteRule .+ http://edit.mydomain.com/%1  [R=301,QSA]

But doing that caused the URL with the query to load a Forbidden page saying I'm not allowed to access /.

When this was previously in a directory, it loaded the root home page (not directory) even though the URL showed the directory followed by the query.

I also have a feeling that the server blocked my IP for a while yesterday because the site suddenly went down for me and only me. Would such URL queries be considered a security risk?

Removing the < part of the code (or %3C encoded) fixes this error but of course, the < is missing from the code that outputs.

Is it possible to accept the encoded in the URL? It seems to work fine with

tags.

Thanks.


It's entirely possible that your <script> tag in the URL parameter is triggering some sort of intrusion protection on your server or your ISP's firewall.

Stuff like this is usually done with a POST request, not a GET request. Is there a reason you're not doing it that way?


it is possible that you have mod_security installed. i believe mod_security2 doesnt allow control from the .htaccess file but the older version do. http://www.modsecurity.org/

However i think instead of fiddling around with mod_security rules its better that you figure out a way to send the code in a POST var rather than GET.

0

精彩评论

暂无评论...
验证码 换一张
取 消