On Friday 27 April 2007 20:37, Cristian Rodriguez R. wrote: > Randall R Schulz escribió: > > You've got to clarify this. I see an HTML form that submits PHP > > code. > > no, the html form does not submit PHP code, what you are seeing > **is** PHP code mixed with html, that is interpreted on the server. > > <form method="post" action="<?php echo $SEVER['PHP_SELF']; ?>"> > > will be displayed to the user browser as: > > <form method="post" action="myscript.php"> > > where myscript.php is the name of the current script in execution. > > in this case, the programmer laziness permits and XSS attack.
I see. > ... > > > How is that not an avenue for an injection exploit? > > it is, but for XSS. > > > What is XSS? > > XSS == Cross Site Scripting > > http://en.wikipedia.org/wiki/Cross_site_scripting I'm aware of the issue, just not the acronym. RRS -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
