On Wed, 2009-06-10 at 23:05 +0530, Sudheer Satyanarayana wrote: > > I've been doing a bit of reading, and I can't really understand why XSS > > is such an issue. Sure, if a user can insert a <script> tag, what > > difference will that make to anyone else, as it is only on their own > > browser. > > > 1. User 1 logs on to the application. Fills up the form with malicious > JS code in it. The server accepts the input, is stored in the database. > 2. User 2 logs on to the application. Goes to the view the information > stored in the database. The JS gets executed on user 2's browser. User > is attacked by XSS. > > I hope that clarifies the question. > > It does to a degree. So I shouldn't really worry about it in this case, as input from one user will never be displayed to any other user. If it was a forum or something, it would, but the search string is only ever shown to the user who entered it, and never stored for later display.
Thanks Ash www.ashleysheridan.co.uk -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php