Member Avatar for iConqueror

I am learning about cross-side scripting and have made a simple html page along with a php page to return the data entered

<!DOCTYPE html>
<html>
<head>
    <title>Inject</title>
</head>
<body>


<form name = "MyForm" id = "MyForm" method = "POST" action = "handle.php">
    <label name = "MyLabel" id = "MyLabel" for = "FirstName">First Name</label>
    <input type = "text" name = "FirstName" id = "FirstName">
    <input type = "submit" name = "ButtonSubmit" id = "ButtonSubmit">
</form>

</body>
</html>



<?php
$Name = $_POST['FirstName'];

echo "Injected: " .$Name;

when I enter in a script <script>alert("Injected!");</script> in google chrome, chrome takes out all the content inside the script tags. It allows html injections for example injecting <h1>Injected!</h1> into the input field.

I believe its some kind of anti xss embedded into chrome that prevents injecting script tags.

Can anyone confirm this?

  • 2 Contributors
  • 1 Reply
  • 159 Views
  • 3 Hours Discussion Span
  • Latest Post Latest Post by hericles
Member Avatar for hericles

I can confirm this as true. It's not perfect however, you can fudge the script tags in various ways that the script analyser will ingnore and pass through (I saw some methods that use comment delimiters).
But inputting <script> tags into inputs in Chrome doesn't work, they get scrubbed out.
I think safari has anti-XSS as well.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.