|
Posted by BootNic on 10/19/07 18:29
"Jonathan N. Little" <lws4art@centralva.net> wrote:
news:46b3f$4718be9b$40cba7cb$16012@NAXS.COM:
>> <form method="post" action="<? echo $_SERVER["PHP_SELF"]; ?>">
>> (rest of form...)
>> </form>
>
> I feel compelled to warn you all that you should *not* do the above
> example. There is an XSS flaw in it. A safe example to demonstrate the
> risk is to pass this to the example script:
>
> http://example.com/risky.php/%22%3E%3Cscript%3Ealert('xss, time to be
> worried')%3C/script%3E%3Cfoo
>
> You will get a harmless alert box, but there are a lot more nefarious
> things that can be done. There is an easy fix though, don't use the
> raw URL parsed by $_SERVER["PHP_SELF"].
>
> sanitized=htmlentities($_SERVER['PHP_SELF']); // prevent XSS insertion
>
> Then use:
>
> <form method="post" action="<?php echo $sanitized; ?>">
$_SERVER["SCRIPT_NAME"] may be an alternative.
--
BootNic Friday October 19, 2007 2:29 PM
The world is very different now. For man holds in his mortal hands
the power to abolish all forms of human poverty, and all forms of
human life.
*John Fitzgerald Kennedy, Inaugural Address*
[Back to original message]
|