At 2:46 PM -0400 4/18/11, Daniel Brown wrote:
On Mon, Apr 18, 2011 at 14:42, tedd <tedd@xxxxxxxxxxxx> wrote:
No, I had a simple form where IF the user entered:
<script> alert("Evil Code");</script>
-- into the form's text field (i.e., $_POST['text'] ) AND clicked Submit,
the form would
echo( $_POST['text'] );
-- and that would produce a JavaScript Alert.
Here's the form:
http://php1.net/a/insecure-form/index.php
It was a simple working example of JavaScript Injection. But it no longer
works and I want to find out why. The most popular reason thus far is
"Browsers have changed", but I'm not sure as to what did change.
Look at the post-processing source --- note the slashes. Apply
stripslashes() to the output on the PHP side and all should be right
again with the world.
--
</Daniel P. Brown>
Daniel et al:
Sorry -- I'm not making myself clear.
The form "as-is" produced a javascript alert() and now it doesn't.
It doesn't make any difference if I use stripslashes() or not, it
still will NOT produce a javascript alert as it used to do.
Seriously, try this:
<?php
$insecure = $_POST['insecure'];
//$insecure = stripslashes($insecure);
?>
<h1>tedd's Secure v Insecure form demo</h1>
<p>
Enter (cut/paste the red) <br/><span class="red"> <script>
alert("Evil Code"); </script></span><br/> in the field below
and see what happens. The red is javascript code.
</p>
<form method="post" action="index.php">
<p>
Field: <input type="text" size=60 name="insecure">
</p>
<p>
<input type=submit value="Submit Post">
</p>
</form>
<?php
if ($insecure != null)
{
echo("<p>This is what you entered:</p>");
echo("Input: $insecure");
echo("<br>");
$insecure = htmlentities($insecure);
echo("Input after htmlentites: $insecure");
echo("<br>");
}
?>
<?php include('../includes/footer.php'); ?>
You can un-comment the stripslashes() function and it will still not
produce a javascript alert.
Cheers,
tedd
--
-------
http://sperling.com/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
