|
|
我的站 www.ehouse2008.com 扫描发现存在XSS跨站脚本漏洞,网站源码如下,那位高手帮我看看该如何修复这个漏洞!
网站源码如下:
<http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<%
set rs_xx=server.CreateObject("adodb.recordset")
sql_xx="select * from System_isSystemConfig_Table"
rs_xx.open sql_xx,dconn,1,1
%>
<meta http-equiv="Content-Type" content="text/html; charset=gb2312" />
<title><%=rs_xx("SiteInfo")%></title>
<meta name="Keywords" content="<%=rs_xx("Keywords")%>" />
<meta name="Description" content="<%=rs_xx("descriptions")%>" />
<%rs.close%>
<link href="css.css" type="text/css" rel="stylesheet" />
</head>
<body>
<table width="1004" height="1046" border="0" align="center" cellpadding="0" cellspacing="0">
<tr>
<td align="left" valign="top"><!--#include file="top.asp"-->
<table width="1004" height="170" border="0" cellpadding="0" cellspacing="0">
<tr>
<td width="286" height="5"></td>
<td width="718"></td>
</tr>
<tr>
<td height="165" align="left" valign="top"><!--#include file="left.asp"--></td>
<td align="right" valign="top"><table width="670" border="0" cellspacing="0" cellpadding="0" style="border:1px #6d4f46 solid">
<tr>
<%
bigclass=request.QueryString("bigclass")
if bigclass="" then
rs.open "select * from news where ntype='产品展示' order by id desc",dconn,1,1
bigclass=rs("bigclass")
else
rs.open "select * from news where bigclass='"& bigclass &"' order by id desc",dconn,1,1
end if
%>
<td height="35" align="left" valign="middle" style="text-indent:15px; line-height:25px; border-bottom:1px #6d4f46 solid">当前位置:首页 >> <%=bigclass%></td>
</tr>
<tr>
<td height="398" align="left" valign="top">
<div style="width:706px;">
<%
if rs.eof then
response.Write("<br/> 内容正在编辑当中……")
else
rs.pagesize=6
yeshu=request.QueryString("yeshu")
if int(yeshu)="" or int(yeshu)<1 then
yeshu=1
end if
if int(yeshu)>rs.pagecount then
yeshu=rs.pagecount
end if
rs.absolutepage=yeshu
i=(yeshu-1)*rs.pagesize+1
do while not rs.eof and j<rs.pagesize
%><div style="width:210px; height:180px; float:left">
<table width="210" height="180" border="0" align="left" cellpadding="0" cellspacing="0">
<tr>
<td height="150" align="right"><table width="1" border="0" cellspacing="0" cellpadding="0" style="border:1px #333333 solid">
<tr>
<td><a href="product_in.asp?id=<%=rs("id")%>"><img src="<%=rs("pic")%>" width="169" height="131" border="0" style="margin:2px" /></a></td>
</tr>
</table></td>
</tr>
<tr>
<td align="center"><a href="product_in.asp?id=<%=rs("id")%>"><%=rs("ntitle")%></a></td>
</tr>
</table>
</div>
<%
i=i+1
j=j+1
rs.movenext
loop
end if
rs.close
%></div></td>
</tr>
<tr>
<td height="30" align="center" valign="middle"><a href="product.asp?yeshu=1&bigclass=<%=bigclass%>">首页</a> <a href="product.asp?yeshu=<%=yeshu-1%>&bigclass=<%=bigclass%>">上一页</a> <a href="product.asp?yeshu=<%=yeshu+1%>&bigclass=<%=bigclass%>">下一页</a> <a href="product.asp?yehsu=<%=rs.pagecount%>&bigclass=<%=bigclass%>">末页</a></td>
</tr>
</table></td>
</tr>
</table>
<table width="1004" border="0" cellspacing="0" cellpadding="0">
<tr>
<td height="5"></td>
</tr>
</table>
<!--#include file="footer.asp"-->
</td>
</tr>
</table>
</body>
</html>
|
|
发表于 2012-12-10 11:54:00
已绑定手机
已实名认证