At 2:46 PM -0400 4/18/11, Daniel Brown wrote:
On Mon, Apr 18, 2011 at 14:42, tedd <t...@sperling.com> wrote:


 No, I had a simple form where IF the user entered:

 <script> alert("Evil Code");</script>

 -- into the form's text field (i.e., $_POST['text'] ) AND clicked Submit,
 the form would

 echo( $_POST['text'] );

 -- and that would produce a JavaScript Alert.

 Here's the form:

 http://php1.net/a/insecure-form/index.php

 It was a simple working example of JavaScript Injection. But it no longer
 works and I want to find out why. The most popular reason thus far is
 "Browsers have changed", but I'm not sure as to what did change.

    Look at the post-processing source --- note the slashes.  Apply
stripslashes() to the output on the PHP side and all should be right
again with the world.

--
</Daniel P. Brown>

Daniel et al:

Sorry -- I'm not making myself clear.

The form "as-is" produced a javascript alert() and now it doesn't.

It doesn't make any difference if I use stripslashes() or not, it still will NOT produce a javascript alert as it used to do.

Seriously, try this:

<?php

$insecure = $_POST['insecure'];
//$insecure = stripslashes($insecure);
?>

<h1>tedd's Secure v Insecure form demo</h1>

<p>
Enter (cut/paste the red) <br/><span class="red"> &lt;script> alert("Evil Code"); &lt;/script></span><br/> in the field below
and see what happens. The red is javascript code.
</p>

<form method="post" action="index.php">
<p>
Field: <input type="text" size=60 name="insecure">
</p>
<p>
<input type=submit value="Submit Post">
</p>
</form>

<?php

if ($insecure != null)
{
echo("<p>This is what you entered:</p>");
echo("Input: $insecure");
echo("<br>");
$insecure = htmlentities($insecure);
echo("Input after htmlentites: $insecure");
echo("<br>");
}
?>

<?php include('../includes/footer.php'); ?>

You can un-comment the stripslashes() function and it will still not produce a javascript alert.

Cheers,

tedd

--
-------
http://sperling.com/

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to