0

I just saw a tutorial on a PHP site, and saw the super global $_SERVER['SERVER_SELF'] getting sanitized with htmlspecialchars. Us there any use for this? If you submit a post that has form action="$_SERVER['SERVER_SELF']" what difference does it make what the url is set when submitting a form, because the browser will only submit to the url

3
Contributors
5
Replies
7
Views
4 Years
Discussion Span
Last Post by LastMitch
1

It's to avoid XSS.
When it's used in a form action:

<form action="<?php echo $_SERVER['PHP_SELF'];?>" ...>

It's vulnerable to XSS as an user could go to your form page and add some js in the url, e.g.

http://www.example.com/myform.php/%22%3E%3Cscript%3Ealert('youFOOL')%3C/script%3E ...

This would be translated to something like:

<form action="myform.php" ... />
<script>alert('youFOOL')</script> ...

Now that may be pretty harmless, but it can be made to run files from another server.

So you use htmlentities() to sanitize it.

0

But it is imposssible to manupilate the url on the fly. because, when you press post, the browser can only submit into the un-modified version of the url rather than the modified.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.