On Mon, 2011-04-18 at 14:42 -0400, tedd wrote:
> At 1:09 PM -0400 4/18/11, Joshua Kehn wrote:
> >On Monday, April 18, 2011 at 1:06 PM, tedd wrote:
> >
> >>Hi gang:
> >>
> >>Quite some time ago I had a demo that showed Javascript injection. It
> >>was where a user could type in:
> >>
> >><script> alert("Evil Code");</script>
> >>
> >>and a JavaScript alert would be shown.
> >>
> >>But now my demo no longer works. So, what happened? Was there a php
> >>update that prohibited that sort of behavior or did hosts start
> >>setting something to OFF, or what?
> >>
> >>If you know, please explain.
> >>
> >>Thanks,
> >>
> >>tedd
> >>--
> >>-------
> >><http://sperling.com>http://sperling.com/
> >>
> >Not that I know of. Are you talking about on-page injection, like
> >comments and such? Normally JS injection would be that (bad scripts
> >inserted by the user on a comment form or review page) or where you
> >are using eval() and they dump bad code into there.
> >
> >Regards,
> >
> >-Josh
>
> No, I had a simple form where IF the user entered:
>
> <script> alert("Evil Code");</script>
>
> -- into the form's text field (i.e., $_POST['text'] ) AND clicked
> Submit, the form would
>
> echo( $_POST['text'] );
>
> -- and that would produce a JavaScript Alert.
>
> Here's the form:
>
> http://php1.net/a/insecure-form/index.php
>
> It was a simple working example of JavaScript Injection. But it no
> longer works and I want to find out why. The most popular reason thus
> far is "Browsers have changed", but I'm not sure as to what did
> change.
>
> Cheers,
>
> tedd
>
> --
> -------
> http://sperling.com/
>
>From the looks of it you're only outputting the htmlentities version of
it, so it's outputting those <script> tags as <script> so the
browser would think the whole thing is text.
--
Thanks,
Ash
http://www.ashleysheridan.co.uk
