Stuart schreef: > Please include the list when replying unless you're looking to hire me! > > 2009/3/11 filtered <zopyxfilter@xxxxxxxxxxxxxx> > >> On Wed, Mar 11, 2009 at 13:41, Stuart <stuttle@xxxxxxxxx> wrote: >>> 2009/3/11 filtered <zopyxfilter@xxxxxxxxxxxxxx> >>> $_GET['cam'] looks fine. $_GET['studio'] is not. >>> I could build a URL that would output a javascript tag to do anything I >> want >>> from the security context of a page on your site. This is not good. >>> Check out http://php.net/htmlentities and associated functions. >> More detailed question: is this code prone for attacking the local >> web/php-server? I agree that it is weak with respect to XSS. > > > Not on the face of it, but we would need a lot more of your code to decide > that for certain, something which goes way beyond the scope of this list. > > But I would ask the question why it matters? It's bad so fix it. If you > really have code like this anywhere in your site, escape it. > > Escape stuff coming in and escape stuff going out. There are no exceptions. actually that should be: filter stuff coming in, escape stuff going out. where 'coming in' really means any input vector (reading from db, from a file, request input, etc) and 'going out' really means any output vector (writing to db, writing to file, outputting to browser, etc). note that the filtering & escaping that you should be doing depends on the context/vector in question (you escape data differently when writing to the db as compared to outputting data.) welcome to the web: where everyday we take the golden rule of keeping data, code and presentation seperate ... and stick it in a blender (along with the data, the code and the presentation) ... successfully filtering/escaping data out here means making sense of the goop in the blender and 'doing the right thing' with it ... have fun with that, I know I don't :-) > Ever. > -Stuart > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
