Yep, I see this on Chrome 10. Regards, -Josh___________________________________________ Joshua Kehn | Josh.Kehn@xxxxxxxxx http://joshuakehn.com On Monday, April 18, 2011 at 2:49 PM, Mari Masuda wrote: > On Apr 18, 2011, at 11:42 AM, tedd wrote: > > > At 1:09 PM -0400 4/18/11, Joshua Kehn wrote: > > > On Monday, April 18, 2011 at 1:06 PM, tedd wrote: > > > > > > > Hi gang: > > > > > > > > Quite some time ago I had a demo that showed Javascript injection. It > > > > was where a user could type in: > > > > > > > > <script> alert("Evil Code");</script> > > > > > > > > and a JavaScript alert would be shown. > > > > > > > > But now my demo no longer works. So, what happened? Was there a php > > > > update that prohibited that sort of behavior or did hosts start > > > > setting something to OFF, or what? > > > > > > > > If you know, please explain. > > > > > > > > Thanks, > > > > > > > > tedd > > > > -- > > > > ------- > > > > <http://sperling.com>http://sperling.com/ > > > Not that I know of. Are you talking about on-page injection, like comments and such? Normally JS injection would be that (bad scripts inserted by the user on a comment form or review page) or where you are using eval() and they dump bad code into there. > > > > > > Regards, > > > > > > -Josh > > > > No, I had a simple form where IF the user entered: > > > > <script> alert("Evil Code");</script> > > > > -- into the form's text field (i.e., $_POST['text'] ) AND clicked Submit, the form would > > > > echo( $_POST['text'] ); > > > > -- and that would produce a JavaScript Alert. > > > > Here's the form: > > > > http://php1.net/a/insecure-form/index.php > > > > It was a simple working example of JavaScript Injection. But it no longer works and I want to find out why. The most popular reason thus far is "Browsers have changed", but I'm not sure as to what did change. > > > > Cheers, > > > > tedd > > > > -- > > ------- > > http://sperling.com/ > > Hi Tedd, > > If you look at the source code of the form after it is submitted, it appears the quotes in the entered text are being escaped. For example, I entered this into your form: > --- > <script type="text/javascript">alert("hello");</script> > --- > and when I view the source, it says this: > --- > <p>This is what you entered:</p>Input: <script type=\"text/javascript\">alert(\"hello\");</script><br>Input after htmlentites: <script type=\"text/javascript\">alert(\"hello\");</script><br> > --- > > Mari > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php >
