I am learning about cross-side scripting and have made a simple html page along with a php page to return the data entered

<!DOCTYPE html>

<form name = "MyForm" id = "MyForm" method = "POST" action = "handle.php">
    <label name = "MyLabel" id = "MyLabel" for = "FirstName">First Name</label>
    <input type = "text" name = "FirstName" id = "FirstName">
    <input type = "submit" name = "ButtonSubmit" id = "ButtonSubmit">


$Name = $_POST['FirstName'];

echo "Injected: " .$Name;

when I enter in a script <script>alert("Injected!");</script> in google chrome, chrome takes out all the content inside the script tags. It allows html injections for example injecting <h1>Injected!</h1> into the input field.

I believe its some kind of anti xss embedded into chrome that prevents injecting script tags.

Can anyone confirm this?

4 Years
Discussion Span
Last Post by hericles

I can confirm this as true. It's not perfect however, you can fudge the script tags in various ways that the script analyser will ingnore and pass through (I saw some methods that use comment delimiters).
But inputting <script> tags into inputs in Chrome doesn't work, they get scrubbed out.
I think safari has anti-XSS as well.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.