1

I have written a code for redirecting the page on submitting the form. I have a drop down and textbox in that form. I typed </script> as input for the textbox , which had lead to normal excution but with ); on screen.

this is what i got from my firebug tool

<script type="text/javascript">
loadSearch('Customer','
</script>
');

PHP CODE for submit

<?php
if($_POST['searchButton']){
    echo "<script type='text/javascript'>loadSearch('".$_REQUEST['search_details']."','".$_REQUEST['search_input']."'); </script>";
}
?>

JAVASCRIPT

function loadSearch(selM,selK){
    document.location.href="index.php?pg=search&selM="+selM+"&selK="+selK;
}//loadSearch

Note: $_REQUEST['search_input'] is the textbox and if the textbox is given with </script> as input

NMN
  • 125
  • 9
  • I have no idea what you are asking here. Please improve your question. – Chilion Jan 12 '15 at 10:47
  • I tried to edit your question so it is at least clear what is text and what is code, but still the first paragraph is a mess, and I don't know which of those `)` and `;` are part of the question. Please edit this, put inline code fragments in backticks, and rephrase the question. – GolezTrol Jan 12 '15 at 10:48
  • @Chilion shouldn't it be the **question?** – bluefog Jan 12 '15 at 10:49
  • 1
    You have neither described a problem nor asked a question. How can we help you? – JLRishe Jan 12 '15 at 10:49
  • @Shikhar Bhardwaj Yep. Changed, tnx! – Chilion Jan 12 '15 at 10:50

3 Answers3

2

There is a severe vulnerability in you server side code. You should always clean strings which arise from user inputs using methods like htmlspecialchars.

Replace :

$_REQUEST['search_details']

and

$_REQUEST['search_input']

With :

htmlspecialchars($_REQUEST['search_details'], ENT_QUOTES, 'UTF-8')

and

htmlspecialchars($_REQUEST['search_input'], ENT_QUOTES, 'UTF-8')

Not doing this can make your website vulnerable where a malicious user could include scripts to snoop on your users. What this function does is convert special characters like < to html HTML character entities like &lt; so that it can't be interpreted as code by the browser on the client side.

bluefog
  • 1,894
  • 24
  • 28
  • `htmlspecialchars()` is not the right tool for this job. The values will be incorrectly interpreted in the JavaScript. – JLRishe Jan 12 '15 at 11:40
0

\Why do you not consider to use plain javascript without any php?

<input type="text" id="selM">
<input type="text" id="selK">
<input type="button" onclick="loadSearch(document.getElementById('selM').value,document.getElementById('selK').value);">
0

The problem is that you are dumping the request values into your page without doing any escaping of them. Since this is JavaScript, one quick fix is to use json_encode() to encode the values as JSON:

<?php
if($_POST['searchButton']){
    echo "<script type='text/javascript'>loadSearch(".
           str_replace(json_encode($_REQUEST['search_details']), '<', '\x3C') . ", " .
           str_replace(json_encode($_REQUEST['search_input']), '<', '\x3C').
           ");</script>";
}
?>

Also, your function should be using encodeURIComponent():

function loadSearch(selM,selK){
    document.location.href="index.php?pg=search&selM="+
                           encodeURIComponent(selM) + "&selK=" + 
                           encodeURIComponent(selK);
}

But the question remains: if what you really want to do is redirect the user to a search page, why are you using this roundabout script approach in the first place? Why not just do a redirect directly from your PHP?

Community
  • 1
  • 1
JLRishe
  • 99,490
  • 19
  • 131
  • 169
  • @NMN Did you delete the `'` (single quote) before and after the part for `search_input`? You'll need to do that. – JLRishe Jan 12 '15 at 11:16
  • redirection is happening;but the url becomes /index.php?pg=search&selMod=Customer&selKey="<%2Fscript>"; i want it as /index.php?pg=search&selMod=Customer&selKey=; – NMN Jan 12 '15 at 11:25
  • @NMN The `%2F` is expected. That is the correct way to represent the value `/` in a URL query value. Regarding the pair of quotes that you are seeing there, I ask again, did you make sure to remove the two `'`s before and after the `search_input` part? – JLRishe Jan 12 '15 at 11:31
  • yes;i used the json_decode when displaying in the textbox – NMN Jan 12 '15 at 11:42
  • @NMN Can you paste the current PHP code that you are trying into [pastebin](http://pastebin.com/) or something so that I can have a look? – JLRishe Jan 12 '15 at 11:48