Posted by petersprc on 11/24/06 04:01

You are right that PHP_SELF doesn't include any of the query part. But
still, outputting an unsanitized PHP_SELF would be a problem and could
lead to an XSS vulnerability, because the client can usually include
arbitrary text in the PATH_INFO part. If you use htmlentities, it
should pretty much address that potential problem.

Jim Carlock wrote:
> Jim Carlock wrote...
> : After messing with a few things I noticed 'PHP_SELF'
> : returns the page name without the $_GET query strings...
> :
> : http://blog.phpdoc.info/archives/13-XSS-Woes.html
>
> "petersprc" stated...
> : When using PHP_SELF, I would suggest encoding it appropriately.
> : For instance:
> :
> : <form action="<?= htmlentities($_SERVER['PHP_SELF'], ENT_QUOTES) ?>">
> :
> : In a request to /home.php/a/b/c/d?p=q, your variables would usually
> : be:
> :
> : REQUEST_URI: /home.php/a/b/c/d?p=q
> : SCRIPT_NAME: /home.php
> : PATH_INFO: /a/b/c/d
> : QUERY_STRING: p=q
> : PHP_SELF: /home.php/a/b/c/d
> :
> : An inbound link could put some unsafe code in the PATH_INFO
> : part, so it's good to encode it when outputting it as HTML.
>
> Good information. Thanks Peter. Maybe it was an Apache bug fixed
> by Apache 1.3.37?
>
> Another thing that occurs, PHP_ERR.LOG files show up when
> the temporary directory gets deleted, in other words when the
> temporary folder goes bye bye, "php_err.log" files start appearing
> in the folders of the website which uses $_SESSION variables.
> I'm working with PHP 4.4.4 and Apache 1.3.37 (Windows).
>
> Comments are appreciated.
>
> Thanks.
>
> --
> Jim Carlock

[Back to original message]