Home/ Questions/Q 8791901
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-13T22:54:23+00:00

Looking at an old code of a client, he’s using <form action=<?php echo $_SERVER[‘PHP_SELF’];

  • 0

Looking at an old code of a client, he’s using

<form action="<?php echo $_SERVER['PHP_SELF']; ?>" />

I was wondering if it was subject to XSS, but when I try :

  • form.php"><script>alert('xss');</script> => 404 NOT FOUND from Apache
  • form.php/"><script>alert('xss');</script> => 404 From my app

I must specify that I also use ?action=specific_page in the url for its normal use.

Does that mean no XSS is possible using PHP_SELF or does that mean I’m trying it the wrong way?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    If your form is at form.php script, try accessing it with an url in the browser like http://yoursite.com/form.php/"><script>alert('XSS')</script> to see if it is vulnerable to injection.

    If it doesn’t do anything, your configuration prevents this, at least for this specific file.

    (Of course, you should use something like htmlspecialchars($_SERVER['SCRIPT_NAME']) anyway.)

    • 0