|
|
Posted by BootNic on 10/19/07 22:46
"Jonathan N. Little" <lws4art@centralva.net> wrote:
news:b7604$47190931$40cba7cb$32210@NAXS.COM:
> BootNic wrote:
>> "Jonathan N. Little" <lws4art@centralva.net> wrote:
>> news:46b3f$4718be9b$40cba7cb$16012@NAXS.COM:
>>
>>>> <form method="post" action="<? echo $_SERVER["PHP_SELF"]; ?>">
>>>> (rest of form...) </form>
>>> I feel compelled to warn you all that you should *not* do the above
>>> example. There is an XSS flaw in it. A safe example to demonstrate
>>> the risk is to pass this to the example script:
>>>
>>> http://example.com/risky.php/%22%3E%3Cscript%3Ealert('xss, time to
>>> be worried')%3C/script%3E%3Cfoo
>>>
>>> You will get a harmless alert box, but there are a lot more
>>> nefarious things that can be done. There is an easy fix though,
>>> don't use the raw URL parsed by $_SERVER["PHP_SELF"].
>>>
>>> sanitized=htmlentities($_SERVER['PHP_SELF']); // prevent XSS
>>> insertion
>>>
>>> Then use:
>>>
>>> <form method="post" action="<?php echo $sanitized; ?>">
>>
>> $_SERVER["SCRIPT_NAME"] may be an alternative.
>>
>
> Yes, but you would lose and legitimate query string parameters if this
> was a GET process.
Where would it go?
$_GET perhaps
--
BootNic Friday October 19, 2007 6:46 PM
Inform all the troops that communications have completely broken
down.
*Ashleigh Brilliant*
Navigation:
[Reply to this message]
|