Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
Ok so I just wanted to know, is this necessarily a XSS vulnerability, as it does not output the results as such?
For example:
if($_GET['doRedirect'] == "yes") {
//redirect Page
} else {
//dont redirect page
}
then
http://example.com?doRedirect=yes
I have read up on all of the XSS stuff and thought I had a good understanding of it, although now im slightly confused. Is XSS only possible if the user input is then output on the page?
Many thanks 🙂
That should be safe.
Cross site scripting can only occur if you actually output something user-generated on your page.
An example of this would be if you took in a user’s name as the get parameter
nameand did the following:In this case, if someone set the
name-parameter to<script>alert('Hello, There!');</script>, they’ve suddenly got some JavaScript running on an URL hosted on your domain.Granted, that example is pretty benign, but the fact that they could run that code means they could run any code they wished. They could, for instance, add a script that logged the usernames and passwords of all users that logged in through that URL. Your site would appear genuine, but they would have access to things they shouldn’t have.
If you’re confused about, or interested in learning more about cross site scripting, take a look at these questions: