At 7:45 PM -0400 4/25/11, Daniel Brown wrote:
On Mon, Apr 25, 2011 at 19:12, Nathan Rixham <nrixham@xxxxxxxxx> wrote:
It is the browser, chrome will prevent execution because the code was sent
in the request, just check the javascript console and you'll see something
like:
"Refused to execute a JavaScript script. Source code of script found within
request."
Easy way to get around that, depending on where it lied and how it
was stored and accessed, is to inject it into the session. Chrome
would obviously have no notion of session data. An added step, but
proof positive that ALL data needs to be sanitized, not just GPC and
database.
--
</Daniel P. Brown>
Most excellent point!
Cheers,
tedd
--
-------
http://sperling.com/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
