Home/ Questions/Q 645091
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-13T21:27:50+00:00

Imagine this simple form <form action=<?php echo $_SERVER[‘REQUEST_URI’]; ?> method=post> <fieldset> <legend>Contact Me</legend> <label

  • 0

Imagine this simple form

<form action="<?php echo $_SERVER['REQUEST_URI']; ?>" method="post">
    <fieldset>
        <legend>Contact Me</legend>
        <label for="email">Email:</label>
        <input type="text" name="email" id="email" />
        <button type="submit">Submit</button>
    </fieldset>
</form>

Now imagine it is accessed via form.php?hack=" onsubmit="alert('xss')

The output when I view source is 

<form action="/things/?hack=%22%20onsubmit=%22alert(%27xss%27)" method="post">

What is encoding this – is it the browser or PHP?

Outside of curiosity, I always echo $_SERVER['REQUEST_URI'] within htmlspecialchars().

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    That is done by the browsers, if you are under some PHP framework, some of them also change it. It is similar to what you do using PHP’s urlencode function.

    • 0