At 1:09 PM -0400 4/18/11, Joshua Kehn wrote:
On Monday, April 18, 2011 at 1:06 PM, tedd wrote:
Hi gang:
Quite some time ago I had a demo that showed Javascript injection. It
was where a user could type in:
<script> alert("Evil Code");</script>
and a JavaScript alert would be shown.
But now my demo no longer works. So, what happened? Was there a php
update that prohibited that sort of behavior or did hosts start
setting something to OFF, or what?
If you know, please explain.
Thanks,
tedd
--
-------
<http://sperling.com>http://sperling.com/
Not that I know of. Are you talking about on-page injection, like
comments and such? Normally JS injection would be that (bad scripts
inserted by the user on a comment form or review page) or where you
are using eval() and they dump bad code into there.
Regards,
-Josh
No, I had a simple form where IF the user entered:
<script> alert("Evil Code");</script>
-- into the form's text field (i.e., $_POST['text'] ) AND clicked
Submit, the form would
echo( $_POST['text'] );
-- and that would produce a JavaScript Alert.
Here's the form:
http://php1.net/a/insecure-form/index.php
It was a simple working example of JavaScript Injection. But it no
longer works and I want to find out why. The most popular reason thus
far is "Browsers have changed", but I'm not sure as to what did
change.
Cheers,
tedd
--
-------
http://sperling.com/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
