discuz 3.4 游客手机版本首页搜索错误Discuz! Mobile System Error
Discuz! Mobile System ErrorError messages:
您当前的访问请求当中含有非法字符,已经被系统拒绝
复现,手机清理浏览器缓存,或者Chrome无痕模式把UA改成手机,首页直接点击搜索框进行搜索,不要先点击板块
然后把UA关掉,刷新一下页面,看到显示的代码是
search.php(discuz_application->init)
source/class/discuz/discuz_application.php(discuz_application->_init_misc)
source/class/discuz/discuz_application.php(discuz_application->_xss_check)
source/class/discuz/discuz_application.php(system_error)
source/function/function_core.php(discuz_error::system_error)
source/class/discuz/discuz_error.php(discuz_error::debug_backtrace)
老周部落
xss_check拦截,一般的原因是formhash变了,不过我这用您站点测没发现变了,这事情有点怪。
@老周部落 https://gitee.com/ComsenzDiscuz/DiscuzX/blob/master/upload/source/class/discuz/discuz_application.php#L354
网上搜到的教程,改成这样合理吗,看起来是把判断formhash给删除了
private function _xss_check() {
$temp = strtoupper(urldecode(urldecode($_SERVER['REQUEST_URI'])));
if(strpos($temp, '<') !== false || strpos($temp, '"') !== false || strpos($temp, 'CONTENT-TRANSFER-ENCODING') !== false) {
system_error('request_tainting');
}
return true;
}
@小樱 其实这样不太安全,与其这里删除还不如删除这一行 https://gitee.com/ComsenzDiscuz/DiscuzX/blob/master/upload/template/default/touch/search/forum.htm#L23 可能安全性还稍微高一点
如果电脑版有问题的话 https://gitee.com/ComsenzDiscuz/DiscuzX/blob/master/upload/template/default/search/forum.htm#L5
{:2992:}
页:
[1]