On Wed, 2009-06-10 at 23:05 +0530, Sudheer Satyanarayana wrote:
> > I've been doing a bit of reading, and I can't really understand why XSS
> > is such an issue. Sure, if a user can insert a <script> tag, what
> > difference will that make to anyone else, as it is only on their own
> > browser.
> >   
> 1. User 1 logs on to the application. Fills up the form with malicious 
> JS code in it. The server accepts the input, is stored in the database.
> 2. User 2 logs on to the application. Goes to the view the information 
> stored in the database. The JS gets executed on user 2's browser. User 
> is attacked by XSS.
> I hope that clarifies the question.
It does to a degree. So I shouldn't really worry about it in this case,
as input from one user will never be displayed to any other user. If it
was a forum or something, it would, but the search string is only ever
shown to the user who entered it, and never stored for later display.


PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to