各位大侠~!跨站脚本漏洞,如何修补
各位大侠,最近网站检测到有跨站脚本攻击漏洞,请问各位高手如何修补,贴上代~~!
<%
nianfen=trim(request("nianfen"))
shengfen=trim(request("shengfen"))
leibie=trim(request("leibie"))
jiage=trim(request("jiage"))
%>
<html>
<head>
<title>search</title>
<meta http-equiv="Content-Type" content="text/html; charset=gb2312">
<style type="text/css">
<!--
.style11 { color: #0066CC;
font-weight: bold;
}
-->
</style>
</head>
<body onLoad="init();">
<table width="98%" border="0" align="center" cellpadding="2" cellspacing="1" class="tableBorder">
<form action="index.asp" name="xie" method="post">
<tr>
<th height="55" colspan="4" class="tableHeaderText" style="font-size:14px;"><div align="center">
<p> </p>
<p>查询</p>
<p> </p>
</div></th>
</tr>
<tr bgcolor="7897E0">
<td align="center"><strong>年 份</strong></td>
<td align="center"><strong>省 份</strong></td>
<td align="center"><strong>类 别</strong></td>
<td height="28" align="center"><strong>价 格</strong></td>
</tr>
<tr >
<td width="20%" align="center" class="tableHeaderText">
<select name="nianfen" style="width:115px;height:25px;line-height:25px;">
<option value="2018" <%if nianfen="2018" then%>selected="selected"<%end if%>>2018年</option>
</select> </td>
<td width="20%" align="center">
<select name="shengfen" style="width:115px;height:25px;line-height:25px;">
<option value="安徽" <%if shengfen="安徽" then%>selected="selected"<%end if%>>A-安徽</option>
<option value="北京" <%if shengfen="北京" then%>selected="selected"<%end if%>>B-北京</option>
</select> </td>
<td width="20%" align="center"><select name="leibie" style="width:115px;height:25px;line-height:25px;">
<option value="轮胎" <%if leibie="轮胎" then%>selected="selected"<%end if%>>轮胎</option>
<option value="座椅" <%if leibie="座椅" then%>selected="selected"<%end if%>>座椅</option>
<option value="玻璃" <%if leibie="玻璃" then%>selected="selected"<%end if%>>玻璃</option>
</select> </td>
<td width="40%" height="28" align="center"><select name="jiage" style="width:200px;height:25px;line-height:25px;">
<option value=" ">所有价格</option>
<option value="0—100">0—100</option>
<option value="101—500">101—500</option>
<option value="501-1000">501-1000</option>
<option value="1001以上">1001以上</option>
</select> </td>
</tr>
<tr>
<th height="55" colspan="4" class="tableHeaderText"><div align="center"><input name="Submit" type="submit" class="inputs" style="height:28px; width:80px; font-size:14px; font-weight:bold" value="查 询"></div></th>
</tr>
</form>
</table>
<table width="98%" border="0" align="center" cellpadding="2" cellspacing="1" class="tableBorder" <%if nianfen="" then%> style="display:none" <%end if%>>
<tr>
<th height=25 colspan="5" class="tableHeaderText"> </th>
</tr>
<form name="form2" action="index.asp" method="post">
<tr class="tableHeaderText" height=25>
<td width="8%" align="center"><b>年份</b></td>
<td width="8%" align="center"><b>省份</b></td>
<td width="8%" align="center"><b>地区</b></td>
<td width="8%" align="center"><b>类别</b></td>
<td width="8%" align="center"><b>价格</b></td>
</tr>
<%
if jiage<>"" then
sql="select * from sc_wup where nianfen='"&nianfen&"' and shengfen='"&shengfen&"' and leibie='"&leibie&"' and jiage='"&jiage&"' order by id asc"
else
sql="select * from sc_wup where nianfen='"&nianfen&"' and shengfen='"&shengfen&"' and leibie='"&leibie&"' order by id asc"
end if
count=0
set rs=server.createobject("adodb.recordset")
rs.open sql,conn,1,1
Do While not Rs.Eof
count=count+rs("ji_shu")
%>
<%
if jiage<>"" then
set rszz=conn.execute("select sum(ji_shu) as numzz from sc_wup where nianfen='"&nianfen&"' and shengfen='"&shengfen&"' and leibie='"&leibie&"' and jiage='"&jiage&"'")
if rszz("numzz")<>"" then
numzz=rszz("numzz")
else
numzz=0
end if
else
set rszz=conn.execute("select sum(ji_shu) as numzz from sc_wup where nianfen='"&nianfen&"' and shengfen='"&shengfen&"' and leibie='"&leibie&"'")
if rszz("numzz")<>"" then
numzz=rszz("numzz")
else
numzz=0
end if
end if
%>
<tr onMouseOver="this.style.background='#FFFFCC'" onMouseOut="this.style.background='#EEF7FD'">
<td align="center"><%=rs("nianfen")%></td>
<td align="center"><%=Rs("shengfen")%></td>
<td align="center"><%=rs("diqu")%> </td>
<td align="center"> <%=rs("leibie")%></td>
<td align="center"><%=rs("jiage")%></td>
</tr>
<%
Rs.MoveNext
Loop
Rs.Close:Set Rs=Nothing
%>
<input type="hidden" name="nianfen" value="<%=nianfen%>">
<input type="hidden" name="shengfen" value="<%=shengfen%>">
<input type="hidden" name="leibie" value="<%=leibie%>">
<input type="hidden" name="leibie" value="<%=jiage%>">
<tr onMouseOver="this.style.background='#FFFFCC'" onMouseOut="this.style.background='#EEF7FD'">
<td colspan="7" align="center"> </td>
<td align="left" colspan="3" style="font-size:14px; color:#FF0000; font-weight:bold"></td>
</tr></form>
</table>
</body>
</html>