|
|
Posted by Jonathan N. Little on 10/19/07 19:44
BootNic wrote:
> "Jonathan N. Little" <lws4art@centralva.net> wrote:
> news:46b3f$4718be9b$40cba7cb$16012@NAXS.COM:
>
>>> <form method="post" action="<? echo $_SERVER["PHP_SELF"]; ?>">
>>> (rest of form...)
>>> </form>
>> I feel compelled to warn you all that you should *not* do the above
>> example. There is an XSS flaw in it. A safe example to demonstrate the
>> risk is to pass this to the example script:
>>
>> http://example.com/risky.php/%22%3E%3Cscript%3Ealert('xss, time to be
>> worried')%3C/script%3E%3Cfoo
>>
>> You will get a harmless alert box, but there are a lot more nefarious
>> things that can be done. There is an easy fix though, don't use the
>> raw URL parsed by $_SERVER["PHP_SELF"].
>>
>> sanitized=htmlentities($_SERVER['PHP_SELF']); // prevent XSS insertion
>>
>> Then use:
>>
>> <form method="post" action="<?php echo $sanitized; ?>">
>
> $_SERVER["SCRIPT_NAME"] may be an alternative.
>
Yes, but you would lose and legitimate query string parameters if this
was a GET process.
--
Take care,
Jonathan
-------------------
LITTLE WORKS STUDIO
http://www.LittleWorksStudio.com
Navigation:
[Reply to this message]
|