On Mon, Apr 18, 2011 at 14:42, tedd <tedd@xxxxxxxxxxxx> wrote:
>
> No, I had a simple form where IF the user entered:
>
> <script> alert("Evil Code");</script>
>
> -- into the form's text field (i.e., $_POST['text'] ) AND clicked Submit,
> the form would
>
> echo( $_POST['text'] );
>
> -- and that would produce a JavaScript Alert.
>
> Here's the form:
>
> http://php1.net/a/insecure-form/index.php
>
> It was a simple working example of JavaScript Injection. But it no longer
> works and I want to find out why. The most popular reason thus far is
> "Browsers have changed", but I'm not sure as to what did change.
Look at the post-processing source --- note the slashes. Apply
stripslashes() to the output on the PHP side and all should be right
again with the world.
--
</Daniel P. Brown>
Network Infrastructure Manager
http://www.php.net/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
