Hi List,

I just figured, that the Browsers on my system do interpret '
inside href or onclick attribute as a plain '.

Imagine the user input is the following line:

param2" foo';);alert(document.cookie);alert('

Which is being written by the script like that:

<a href="javascript:void(0);" onclick="test(1,

USER_INPUT is sent through htmlentities($str, ENT_QUOTES, 'UTF-8');

The result is the following then:

<script type="text/javascript">
function example(a, b) {
  alert('valid alert; params: '+ a+', '+b);

<a href="javascript:void(0);" onclick="example(1, 'param2&quot;

My browsers will alert the document.cookie.
Please confirm this (and keep in mind that document.cookie is just
empty when tested locally).


PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to