这里is没有漏洞(请在投票前阅读).

There is no vulnerability here (please read before downvote).

只是为了澄清，唯一的代码是上面的内容，页面不是从数据库等中提取数据(您在上面看到的实际上是完整的 php 页面，只是缺少 html head body 标签等).

Just to clarify, the only code is what is above, the page is not pulling data from a database etc (what you see above is virtually the full php page, just missing the html head body tags etc).

因此以下两个字段不能由当前用户以外的任何人填充:

Therefore the following two fields cannot be populated by anything other than the current user:

<input type="text" name="message" id="user_var1">
<input type="text" name="message" id="user_var2">

因为不存在填充这两个字段的代码.

because there is no code present that populates these two fields.

代码填充的两个DOM元素如下:

The two DOM elements that are populated by code are as follows:

<span id='var1'></span>
<span id='var2'></span>

执行此操作的代码是

document.getElementById('var1').innerText = 
                document.getElementById("user_var1").value;
document.getElementById('var2').innerText = 
                document.getElementById("user_var2").value;

它使用的是非标准的innerText 而不是 textContent，但是 innerText 将设置文本内容而不是 HTML 内容，防止浏览器呈现任何标签或脚本.

It is using the non-standard innerText rather than textContent, however innerText will set the text content rather than HTML content, preventing the browser from rendering any tags or script.

然而，即使它设置了 innerHTML 属性，用户所能做的就是攻击自己(就像他们在浏览器中打开开发者工具一样).

However, even if it was setting the innerHTML property instead, all the user could do is attack themselves (just the same as they would opening up developer tools within their browser).

但是，为了正确的功能行为和互联网标准，我将使用 textContent 而不是 innerText 或 innerHTML.

However, in the interests of correct functional behaviour and internet standards, I would use textContent rather than innerText or innerHTML.

注意

<script>alert(document.cookie);</script>

无论如何都行不通，它必须是

would not work anyway, it would have to be

<svg onload="alert(document.cookie)" />

或类似的.HTML5 指定不应执行通过 innerHTML 插入的 标签.

or similar. HTML5 specifies that a <script> tag inserted via innerHTML should not execute.