Posted by petersprc on 11/21/06 06:16

Hi,

When using PHP_SELF, I would suggest encoding it appropriately. For
instance:

<form action="<?= htmlentities($_SERVER['PHP_SELF'], ENT_QUOTES)
?>">

In a request to /home.php/a/b/c/d?p=q, your variables would usually be:

REQUEST_URI: /home.php/a/b/c/d?p=q
SCRIPT_NAME: /home.php
PATH_INFO: /a/b/c/d
QUERY_STRING: p=q
PHP_SELF: /home.php/a/b/c/d

An inbound link could put some unsafe code in the PATH_INFO part, so
it's good to encode it when outputting it as HTML.


Jim Carlock wrote:
> Are the XSS / Cross Site Scripting attacks fixed in Version 4.44?
>
> I'm seeing that $_SERVER['PHP_SELF'] doesn't return the
> $_SERVER['HTTP_QUERYSTRING'] appended to it.
>
> I was just messing with a few things and noticed that PHP_SELF
> returns only the page name now and without the $_GET query...
>
> http://blog.phpdoc.info/archives/13-XSS-Woes.html
>
> Any comments on this are appreciated.
>
> Thanks.
>
> --
> Jim Carlock
> Post replies to the group.

• Next in forum: Re: CGI-BIN Forced Termination (Apache)
• Prev in forum: Re: What's a cron job?
• Thread view: Re: XSS / Cross Site Scripting Attacks Fixed $_SERVER['PHP_SELF'] ?

[Reply to this message]