在common.inc.php文件的69行:
$PHP_SELF = $_SERVER['PHP_SELF'] ? $_SERVER['PHP_SELF'] : $_SERVER['SCRIPT_NAME'];
$SCRIPT_FILENAME = str_replace('\\\\', '/', (isset($_SERVER['PATH_TRANSLATED']) ? $_SERVER['PATH_TRANSLATED'] : $_SERVER['SCRIPT_FILENAME']));
$boardurl = 'http://'.$_SERVER['HTTP_HOST'].preg_replace("/\/+(api|archiver|wap)?\/*$/i", '', substr($PHP_SELF, 0, strrpos($PHP_SELF, '/'))).'/';
取得$_SERVER['PHP_SELF']的最后一个/前的字符串后直接拼入了$boardurl,没做其他处理
在index.php文件的49行:
$rssstatus && $rsshead = '<link rel="alternate" type="application/rss+xml" title="'.$bbname.'" href="'.$boardurl.'rss.php?auth='.$rssauth.'">';
这里调用了$boardurl,
在header.htm中的12行:
<link rel="archives" title="$bbname" href="{$boardurl}archiver/">
$rsshead
这里调输出了$boardurl,同时还有$rsshead,
Discuz! 6.0
解决方法:
$PHP_SELF = $_SERVER['PHP_SELF'] ? $_SERVER['PHP_SELF'] : $_SERVER['SCRIPT_NAME'];
改为:
$PHP_SELF = htmlspecialchars($_SERVER['PHP_SELF'] ? $_SERVER['PHP_SELF'] : $_SERVER['SCRIPT_NAME']);
)
)
)
