Re: JavaScript Injection ???

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Apr 18, 2011, at 11:42 AM, tedd wrote:

> At 1:09 PM -0400 4/18/11, Joshua Kehn wrote:
>> On Monday, April 18, 2011 at 1:06 PM, tedd wrote:
>> 
>>> Hi gang:
>>> 
>>> Quite some time ago I had a demo that showed Javascript injection. It
>>> was where a user could type in:
>>> 
>>> <script> alert("Evil Code");</script>
>>> 
>>> and a JavaScript alert would be shown.
>>> 
>>> But now my demo no longer works. So, what happened? Was there a php
>>> update that prohibited that sort of behavior or did hosts start
>>> setting something to OFF, or what?
>>> 
>>> If you know, please explain.
>>> 
>>> Thanks,
>>> 
>>> tedd
>>> --
>>> -------
>>> <http://sperling.com>http://sperling.com/
>>> 
>> Not that I know of. Are you talking about on-page injection, like comments and such? Normally JS injection would be that (bad scripts inserted by the user on a comment form or review page) or where you are using eval() and they dump bad code into there.
>> 
>> Regards,
>> 
>> -Josh
> 
> No, I had a simple form where IF the user entered:
> 
> <script> alert("Evil Code");</script>
> 
> -- into the form's text field (i.e., $_POST['text'] ) AND clicked Submit, the form would
> 
> echo( $_POST['text'] );
> 
> -- and that would produce a JavaScript Alert.
> 
> Here's the form:
> 
> http://php1.net/a/insecure-form/index.php
> 
> It was a simple working example of JavaScript Injection. But it no longer works and I want to find out why. The most popular reason thus far is "Browsers have changed", but I'm not sure as to what did change.
> 
> Cheers,
> 
> tedd
> 
> -- 
> -------
> http://sperling.com/

Hi Tedd,

If you look at the source code of the form after it is submitted, it appears the quotes in the entered text are being escaped.  For example, I entered this into your form:
---
<script type="text/javascript">alert("hello");</script>
---
and when I view the source, it says this:
---
<p>This is what you entered:</p>Input: <script type=\"text/javascript\">alert(\"hello\");</script><br>Input after htmlentites: &lt;script type=\&quot;text/javascript\&quot;&gt;alert(\&quot;hello\&quot;);&lt;/script&gt;<br>
---

Mari
-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux