On Mon, 2011-04-18 at 14:42 -0400, tedd wrote:
> At 1:09 PM -0400 4/18/11, Joshua Kehn wrote:
> >On Monday, April 18, 2011 at 1:06 PM, tedd wrote:
> >>Hi gang:
> >>was where a user could type in:
> >><script> alert("Evil Code");</script>
> >>But now my demo no longer works. So, what happened? Was there a php
> >>update that prohibited that sort of behavior or did hosts start
> >>setting something to OFF, or what?
> >>If you know, please explain.
> >Not that I know of. Are you talking about on-page injection, like
> >comments and such? Normally JS injection would be that (bad scripts
> >inserted by the user on a comment form or review page) or where you
> >are using eval() and they dump bad code into there.
> No, I had a simple form where IF the user entered:
> <script> alert("Evil Code");</script>
> -- into the form's text field (i.e., $_POST['text'] ) AND clicked
> Submit, the form would
> echo( $_POST['text'] );
> Here's the form:
> longer works and I want to find out why. The most popular reason thus
> far is "Browsers have changed", but I'm not sure as to what did
>From the looks of it you're only outputting the htmlentities version of
it, so it's outputting those <script> tags as <script> so the
browser would think the whole thing is text.