在common.inc.php文件的69行: $PHP_SELF = $_SERVER['PHP_SELF'] ? $_SERVER['PHP_SELF'] : $_SERVER['SCRIPT_NAME']; $SCRIPT_FILENAME = str_replace('\\\\', '/', (isset($_SERVER['PATH_TRANSLATED']) ? $_SERVER['PATH_TRANSLATED'] : $_SERVER['SCRIPT_FILENAME'])); $boardurl = 'http://'.$_SERVER['HTTP_HOST'].preg_replace("/\/+(api|archiver|wap)?\/*$/i", '', substr($PHP_SELF, 0, strrpos($PHP_SELF, '/'))).'/'; 取得$_SERVER['PHP_SELF']的最后一个/前的字符串后直接拼入了$boardurl,没做其他处理 在index.php文件的49行: $rssstatus && $rsshead = '<link rel="alternate" type="application/rss+xml" title="'.$bbname.'" href="'.$boardurl.'rss.php?auth='.$rssauth.'">'; 这里调用了$boardurl, 在header.htm中的12行: <link rel="archives" title="$bbname" href="{$boardurl}archiver/"> $rsshead 这里调输出了$boardurl,同时还有$rsshead, Discuz! 6.0 解决方法: $PHP_SELF = $_SERVER['PHP_SELF'] ? $_SERVER['PHP_SELF'] : $_SERVER['SCRIPT_NAME']; 改为: $PHP_SELF =...
在common.inc.php文件的69行: $PHP_SELF = $_SERVER['PHP_SELF'] ? $_SERVER['PHP_SELF'] : $_SERVER['SCRIPT_NAME']; $SCRIPT_FILENAME = str_replace('\\\\', '/', (isset($_SERVER['PATH_TRANSLATED']) ? $_SERVER['PATH_TRANSLATED'] : $_SERVER['SCRIPT_FILENAME'])); $boardurl = 'http://'.$_SERVER['HTTP_HOST'].preg_replace("/\/+(api|archiver|wap)?\/*$/i", '', substr($PHP_SELF, 0, strrpos($PHP_SELF, '/'))).'/'; 取得$_SERVER['PHP_SELF']的最后一个/前的字符串后直接拼入了$boardurl,没做其他处理 在index.php文件的49行: $rssstatus && $rsshead = '<link rel="alternate" type="application/rss+xml" title="'.$bbname.'" href="'.$boardurl.'rss.php?auth='.$rssauth.'">'; 这里调用了$boardurl, 在header.htm中的12行: <link rel="archives" title="$bbname" href="{$boardurl}archiver/"> $rsshead 这里调输出了$boardurl,同时还有$rsshead, Discuz! 6.0 解决方法: $PHP_SELF = $_SERVER['PHP_SELF'] ? $_SERVER['PHP_SELF'] : $_SERVER['SCRIPT_NAME']; 改为: $PHP_SELF = htmlspecialchars($_SERVER['PHP_SELF'] ? $_SERVER['PHP_SELF'] : $_SERVER['SCRIPT_NAME']);
