Hi List,
I just figured, that the Browsers on my system do interpret '
inside href or onclick attribute as a plain '.
Imagine the user input is the following line:
param2" foo';);alert(document.cookie);alert('
Which is being written by the script like that:
<a href="javascript:void(0);" onclick="test(1,
'USER_INPUT_GOES_HERE');">test</a>
USER_INPUT is sent through htmlentities($str, ENT_QUOTES, 'UTF-8');
The result is the following then:
<html><body>
<script type="text/javascript">
function example(a, b) {
alert('valid alert; params: '+ a+', '+b);
}
</script>
<a href="javascript:void(0);" onclick="example(1, 'param2"
foo');alert(document.cookie);alert('');">test</a>
</body></html>
My browsers will alert the document.cookie.
Please confirm this (and keep in mind that document.cookie is just
empty when tested locally).
Regards
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
