I have been assigned to test a website that another group has just created. I have discovered
that it is prone to XSS attacks. However, it does not really throw
up an error or any valid information when I use JS with PHP:
i.e. var someVar = <?php echo 'a'; ?>
alert(someVar);
This led to my assuming that a site prone to XSS attacks may not necessarily allow php code
to be injected. Am I correct? If not, is there anything with the segment that I posted above?
And, the reason I haven't tried php injection via the GET variables is that I do
not use anything of the form page.php?id='', that queries the database, as of now, except for
the registration and login part, which is via POST.