Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
Possible Duplicate:
PHP_SELF and XSS
Why it’s necessary to filter $_SERVER[‘PHP_SELF’], from e.g.:
<form method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>">
<!-- form contents -->
</form>
to:
<form method="post" action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"], ENT_QUOTES, "utf-8"); ?>">
<!-- form contents -->
</form>
in order to make it XSS-attack proof?
and:
How can attacker reach end users other than himself using the “vulnerability” of the first form?
If you’re using
AcceptPathInfoor something similar such that a URI like/index.php/foo/baris directed to/index.php, requesting/index.php/%22%E3E…can get your following data outside theformtag.And as for the second question: click here.