I need to construct a form who’s action takes you back to the exact same page – GET parameters included. I’m thinking I can say something to the effect of:
echo '<form action="'.$_SERVER['SCRIPT_NAME'].'?'.$_SERVER['QUERY_STRING'].
'" method="post">'
This seems to work, and testing passing a couple XSS attacks seems to be successful, as the output of QUERY_STRING seems to be URL encoded. However the PHP documentation does not mention this, so I’m not confident I can trust this behavior.
Is it safe to use QUERY_STRING the way I am above? If not, what can I do instead? References to documentation would be appreciated.
Update switched to SCRIPT_NAME, just mixed up which one was ok and which was bad in my head, thanks for catching me. action="" does resolve my specific issue nicely, but I’m still curious if QUERY_STRING is pre-processed so it is safe to use or not, since there are other times you might want to re-use the query string, assuming it’s safe to do so.
You should never trust $_SERVER[‘QUERY_STRING’] as it can be used for XSS attacks.
In your case, one could exploit the vulnerability with:
Note that the code above works on IE; FireFox and Chrome efficiently encode the query string before sending it to the web server.
I would always wrap it with htmlentities (mind the double_encode parameter) as with every user input.
Good luck!