On Sat, 2011-05-21 at 10:11 -0400, tedd wrote:
> Hi gang:
> Okay, so,what's the "best" (i.e., most secure) way for your script to
> identify itself *IF* you plan on using that information later, such
> as the value in an action attribute in a form?
> For example, I was using:
> $self = basename($_SERVER['SCRIPT_NAME']);
> <form name="my_form" action="<?php echo($self); ?>" method="post" >
> However, that was susceptible to XSS.
> says a simple action="#" would work.
> But is there a better way?
> What would do you do solve this?
I never use the action attribute if the form is posting to itself, as
the default action I've seen in any browser since the days of IE3 has
been for forms to post to themselves if no other action has been
specified. Having read that link you posted, I realise that missing the
action attribute out altogether would too be affected by the <base>
However, looking at the output of $_SERVER again, couldn't you just
subtract the value of PATH_INFO from the value of PHP_SELF, or only use
the portion of PHP self that didn't include PATH_INFO?
$safe_self = substr($_SERVER['PHP_SELF'], 0,
$safe_self = $_SERVER['PHP_SELF'];
I've just tested this here and it seems to do the trick