I just saw a tutorial on a PHP site, and saw the super global $_SERVER['SERVER_SELF'] getting sanitized with htmlspecialchars. Us there any use for this? If you submit a post that has form action="$_SERVER['SERVER_SELF']" what difference does it make what the url is set when submitting a form, because the browser will only submit to the url

Sorry I meant $_SERVER["PHP_SELF"]

Member Avatar

It's to avoid XSS.
When it's used in a form action:

<form action="<?php echo $_SERVER['PHP_SELF'];?>" ...>

It's vulnerable to XSS as an user could go to your form page and add some js in the url, e.g.

http://www.example.com/myform.php/%22%3E%3Cscript%3Ealert('youFOOL')%3C/script%3E ...

This would be translated to something like:

<form action="myform.php" ... />
<script>alert('youFOOL')</script> ...

Now that may be pretty harmless, but it can be made to run files from another server.

So you use htmlentities() to sanitize it.

But it is imposssible to manupilate the url on the fly. because, when you press post, the browser can only submit into the un-modified version of the url rather than the modified.