I just saw a tutorial on a PHP site, and saw the super global $_SERVER['SERVER_SELF'] getting sanitized with htmlspecialchars. Us there any use for this? If you submit a post that has form action="$_SERVER['SERVER_SELF']" what difference does it make what the url is set when submitting a form, because the browser will only submit to the url
Clanstrom
0
Light Poster
Recommended Answers
Jump to PostIt's to avoid XSS.
When it's used in a form action:<form action="<?php echo $_SERVER['PHP_SELF'];?>" ...>
It's vulnerable to XSS as an user could go to your form page and add some js in the url, e.g.
http://www.example.com/myform.php/%22%3E%3Cscript%3Ealert('youFOOL')%3C/script%3E ...
This would be translated …
Jump to Post@Vribium
What is the point of sanitizing $_SERVER['SERVER_SELF'] ?
What diafol mention is correct.
You can read more about this here:
I assume you have read this before:
All 5 Replies
Reply to this topic
Be a part of the DaniWeb community
We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.