The files that comprise your team's website are on the
www in the directory:
C:\Program Files\Apache Software Foundation\Apache2.2To defeat HTML injection attacks, we need to sanitize input. In the simplest case, that means disallowing <'s in user input. This site is a bit odd because the file
htdocs\index.htmlis actually regenerated every time the script
cgi-bin\survey.cgiis executed; i.e. every time someone submits a comment. So, modifying
index.htmldoesn't solve anything, you have to modify
The easiest way to defeat HTML injection is to replace any <'s
in submitted user input with ... well, with anything else! Let's
say with an
This can be done either client-side or server side. But for both,
we're going to have to modify the file
wwwwith Notepad. It includes a mix of HTML and code in a language called Python. Find the HTML code with the form for submitting comments. In particular, find the code for the submit button. Replace
onclick=' document.forms.survey.txt.value = document.forms.survey.txt.value.replace("<","X"); submit();'
wwwwith Notepad. It includes a mix of HTML and code in a language called Python. Even though you don't know Python, you should be able to spot the point in the Python code at which the variable
commentsgets its value and replace
cgi.escape(form["txt"].value);which will "escape" special HTML characters like < before the Python script adds the comments to index.html.