我是否有基于DOM的XSS攻击?(Do I have an DOM-based XSS attack?)

我现在无法显示代码,但我认为它不重要。 在我非常动态和脚本化的网站的一个区域中,我有一组指向外部网站的链接。 我注意到下面一节中的很多文字都有下划线,在DevTools的调查中,我看到该组中的最后一个链接缺少一个结束锚标记。 修好了,很好。 但在下次重新加载时, 它会回来 。 所以...我撕掉了那些链接,撕掉了整个部分。 这些更改确实显示,因此页面不会被缓存。 但那些缺少结束标签的链接...... 回来了 。 当我查看Google Dev Tools中的代码时,我发现代码不在文件中,就像它被缓存了一样。 但该文件没有被缓存,它在服务器上更新,我可以看到我所做的其他更改(包括IE和Google)。 控制台显示来自谷歌,广告,FB等的大量垃圾。我试图扯掉You Tube,Facebook等等,即使没有我的JS,它也会丢失,但它回来了

所以...我只能想到某种XSS攻击。 我从来没有见过这个。 有任何想法吗?

I can't show code right now, but I don't think it matters. In one area of my very dynamic and scripted site, I had a group of links to an external site. I noticed that a lot of text in a section that follows was underlined, and on investigation in DevTools I saw that the last link in that group was missing a closing anchor tag. Fixed that, fine. But on next reload, it comes back. So...I ripped out those links, ripped out the whole section. Those changes do show up so the page is not cached. But those links with missing closing tag.... comes back. When I look at the code in Google Dev Tools, I see code that is NOT in the file, just as though it were cached. But the file is not being cached, it is updated on the server, and I can see the other changes I've made (both IE and Google). The console shows tons of crap from Google, advertising, FB, etc. I tried ripping out the You Tube, the Facebook, etc. and even with those elements missing, even without my JS, it comes back.

So...I can only think of some kind of XSS attack. I've never seen this before. Any ideas?

最满意答案

当我在时间压力下去年建立这个网站时,它有很多包括许多“俄罗斯嵌套娃娃”。 意识到这一点,并想试图限制这种深度并节省时间,在某些情况下,我复制了粘贴的常见内容,尽管我知道的更好。 这包括一组链接,最后一个链接缺少结束“</ a>”。 这被复制到另外两个地方。 所以当我在星期五的索引文件中修正错误时,问题仍然存在于另外两个地方,我今天早上终于找到了这个问题。 解决了。 [如果我继续使用另外两个包含原始结构模式,我可以找到并解决问题一次。 但我还需要在纸面上记录我的结构,因为去年在构建期间的一切都是今年的......呃,不太熟悉。 让这是对你的警告,儿子。]

天啊。

When I built this site last year under time pressure, it had a lot of includes, many "Russian nesting dolls". Aware of that, and wanting to try to limit that depth and save time, in some cases I copy-pasted common content, although I knew better. This included a set of links, and the last link was missing a closing "< /a>". This got copied to two other places. So when I fixed the error in the index file on Friday, the problem still existed in two other places, which I finally hunted down this morning. SOLVED. [Had I continued the original structure pattern with two more includes, I could have found and solved the issue once. But I also need to document my structure on paper, because everything that was in my head last year during the build is this year....um,much less familiar. Let this be a warning to you, son.]

Jeez.

更多推荐