htmlentitites ENT_QUOTES in HTML attributes?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi List,

I just figured, that the Browsers on my system do interpret '
inside href or onclick attribute as a plain '.

Imagine the user input is the following line:

param2" foo';);alert(document.cookie);alert('

Which is being written by the script like that:

<a href="javascript:void(0);" onclick="test(1,
'USER_INPUT_GOES_HERE');">test</a>

USER_INPUT is sent through htmlentities($str, ENT_QUOTES, 'UTF-8');

The result is the following then:

<html><body>
<script type="text/javascript">
function example(a, b) {
  alert('valid alert; params: '+ a+', '+b);
}
</script>

<a href="javascript:void(0);" onclick="example(1, 'param2&quot;
foo&#039;);alert(document.cookie);alert(&#039;');">test</a>
</body></html>


My browsers will alert the document.cookie.
Please confirm this (and keep in mind that document.cookie is just
empty when tested locally).


Regards

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux