On Monday, 18 April 2011 at 20:50, tedd wrote:
> Daniel et al:
>
> Sorry -- I'm not making myself clear.
>
> The form "as-is" produced a javascript alert() and now it doesn't.
>
> It doesn't make any difference if I use stripslashes() or not, it
> still will NOT produce a javascript alert as it used to do.
>
> Seriously, try this:
>
> <?php
>
> $insecure = $_POST['insecure'];
> //$insecure = stripslashes($insecure);
> ?>
>
> <h1>tedd's Secure v Insecure form demo</h1>
>
> <p>
> Enter (cut/paste the red) <br/><span class="red"> <script>
> alert("Evil Code"); </script></span><br/> in the field below
> and see what happens. The red is javascript code.
> </p>
>
> <form method="post" action="index.php">
> <p>
> Field: <input type="text" size=60 name="insecure">
> </p>
> <p>
> <input type=submit value="Submit Post">
> </p>
> </form>
>
> <?php
>
> if ($insecure != null)
> {
> echo("<p>This is what you entered:</p>");
> echo("Input: $insecure");
> echo("<br>");
> $insecure = htmlentities($insecure);
> echo("Input after htmlentites: $insecure");
> echo("<br>");
> }
> ?>
>
> <?php include('../includes/footer.php'); ?>
>
> You can un-comment the stripslashes() function and it will still not
> produce a javascript alert.
Looks like some form of variable tainting. There was a proposal and a patch a while back, but all it did was emit a warning. I've looked at the PHP5 changelog to see if this was added but can't find any reference to it being merged in.
This is not a browser change because it's happening before the browser sees the response (try it with curl).
-Stuart
--
Stuart Dallas
3ft9 Ltd
http://3ft9.com/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
