I am learning about cross-side scripting and have made a simple html page along with a php page to return the data entered
<!DOCTYPE html> <html> <head> <title>Inject</title> </head> <body> <form name = "MyForm" id = "MyForm" method = "POST" action = "handle.php"> <label name = "MyLabel" id = "MyLabel" for = "FirstName">First Name</label> <input type = "text" name = "FirstName" id = "FirstName"> <input type = "submit" name = "ButtonSubmit" id = "ButtonSubmit"> </form> </body> </html> <?php $Name = $_POST['FirstName']; echo "Injected: " .$Name;
when I enter in a script <script>alert("Injected!");</script> in google chrome, chrome takes out all the content inside the script tags. It allows html injections for example injecting <h1>Injected!</h1> into the input field.
I believe its some kind of anti xss embedded into chrome that prevents injecting script tags.
Can anyone confirm this?