At 7:45 PM -0400 4/25/11, Daniel Brown wrote:
On Mon, Apr 25, 2011 at 19:12, Nathan Rixham <> wrote:

 It is the browser, chrome will prevent execution because the code was sent
 in the request, just check the javascript console and you'll see something

  "Refused to execute a JavaScript script. Source code of script found within

    Easy way to get around that, depending on where it lied and how it
was stored and accessed, is to inject it into the session.  Chrome
would obviously have no notion of session data.  An added step, but
proof positive that ALL data needs to be sanitized, not just GPC and

</Daniel P. Brown>

Most excellent point!



PHP General Mailing List (
To unsubscribe, visit:

Reply via email to