On May 21, 2011, at 9:11 AM, tedd wrote:
Hi gang:
Okay, so,what's the "best" (i.e., most secure) way for your script
to identify itself *IF* you plan on using that information later,
such as the value in an action attribute in a form?
For example, I was using:
$self = basename($_SERVER['SCRIPT_NAME']);
<form name="my_form" action="<?php echo($self); ?>" method="post" >
However, that was susceptible to XSS.
http://www.mc2design.com/blog/php_self-safe-alternatives
says a simple action="#" would work.
But is there a better way?
What would do you do solve this?
Cheers,
tedd
--
-------
http://sperling.com/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Hi, everyone. I've been following this thread, and as I am not that
familiar with XSS attacks, I went searching for information about
them. I did find this:
https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
which may help others like me begin to understand the issue. That
said, I really don't understand how using something like
$self=basename($_SERVER['SCRIPT_NAME']); becomes vulnerable to an XSS
attack. Can someone explain to me how this works? Then I might be able
to understand how to prevent it.
Thanks.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
