emlog防止xss攻击的方法:
给cookie设置上httponly检查,操作步骤:
1.打开“includelibloginauth.php”文件,找到第134行的setAuthCookie函数,改成以下代码:
/**
* 写用于登录验证cookie
*
* @param int $user_id User ID
* @param bool $remember Whether to remember the user or not
*/
public static function setAuthCookie($user_login, $ispersis = false) {
if ($ispersis) {
$expiration = time() + 3600 * 24 * 30 * 12;
} else {
$expiration = null;
}
$auth_cookie_name = AUTH_COOKIE_NAME;
$auth_cookie = self::generateAuthCookie($user_login, $expiration);
setcookie($auth_cookie_name, $auth_cookie, $expiration,'/', '', false,true);
}
2.再将212行的genToken函数改为:
/**
* 生成token,防御CSRF攻击
*/
public static function genToken() {
$token_cookie_name = 'EM_TOKENCOOKIE_' . md5(substr(AUTH_KEY, 16, 32) . UID);
if (isset($_COOKIE[$token_cookie_name])) {
return $_COOKIE[$token_cookie_name];
} else {
$token = md5(getRandStr(16));
setcookie($token_cookie_name, $token, 0, '/', '', false, true);
return $token;
}
}
3.保存修改即可给cookie设置上httponly检查。
