dongzai3917 2011-05-21 10:33
浏览 28
已采纳

PHP_SELF和XSS [重复]

Possible Duplicate:
PHP_SELF and XSS

Why it's necessary to filter $_SERVER['PHP_SELF'], from e.g.:

<form method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>">
  <!-- form contents -->
</form>

to:  

<form method="post" action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"], ENT_QUOTES, "utf-8"); ?>">
  <!-- form contents -->
</form>  

in order to make it XSS-attack proof?

and:

How can attacker reach end users other than himself using the "vulnerability" of the first form?

  • 写回答

2条回答 默认 最新

  • dqzuo0327 2011-05-21 10:37
    关注

    If you’re using AcceptPathInfo or something similar such that a URI like /index.php/foo/bar is directed to /index.php, requesting /index.php/%22%E3E… can get your following data outside the form tag.

    And as for the second question: click here.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(1条)

报告相同问题?

悬赏问题

  • ¥15 这个电路是如何实现路灯控制器的,原理是什么,怎么求解灯亮起后熄灭的时间如图?
  • ¥15 matlab数字图像处理频率域滤波
  • ¥15 在abaqus做了二维正交切削模型,给刀具添加了超声振动条件后输出切削力为什么比普通切削增大这么多
  • ¥15 ELGamal和paillier计算效率谁快?
  • ¥15 file converter 转换格式失败 报错 Error marking filters as finished,如何解决?
  • ¥15 ubuntu系统下挂载磁盘上执行./提示权限不够
  • ¥15 Arcgis相交分析无法绘制一个或多个图形
  • ¥15 关于#r语言#的问题:差异分析前数据准备,报错Error in data[, sampleName1] : subscript out of bounds请问怎么解决呀以下是全部代码:
  • ¥15 seatunnel-web使用SQL组件时候后台报错,无法找到表格
  • ¥15 fpga自动售货机数码管(相关搜索:数字时钟)