On Mon, Apr 25, 2011 at 19:12, Nathan Rixham <nrixham@xxxxxxxxx> wrote:
>
> It is the browser, chrome will prevent execution because the code was sent
> in the request, just check the javascript console and you'll see something
> like:
>
> "Refused to execute a JavaScript script. Source code of script found within
> request."
Easy way to get around that, depending on where it lied and how it
was stored and accessed, is to inject it into the session. Chrome
would obviously have no notion of session data. An added step, but
proof positive that ALL data needs to be sanitized, not just GPC and
database.
--
</Daniel P. Brown>
Network Infrastructure Manager
http://www.php.net/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
