PHP_SELF and XSS

Question

Possible Duplicate:
PHP_SELF and XSS

Why it's necessary to filter $_SERVER['PHP_SELF'], from e.g.:

<form method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>">
  <!-- form contents -->
</form>

to:  

<form method="post" action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"], ENT_QUOTES, "utf-8"); ?>">
  <!-- form contents -->
</form>

in order to make it XSS-attack proof?

and:

How can attacker reach end users other than himself using the "vulnerability" of the first form?

And the answer to your second question is [here](http://bit.ly/lwwdUV). — Gumbo, May 21 '11 at 10:41

score 1 · Answer 1 · answered May 21 '11 at 10:37

1

How can attacker reach end users other than himself using the "vulnerability" of the first form?

The attacker can link to your site from a site he controls or an email he sends.

answered May 21 '11 at 10:37

Quentin

914,110
126
1,211
1,335

score 0 · Accepted Answer · answered May 21 '11 at 10:37

0

If you’re using AcceptPathInfo or something similar such that a URI like /index.php/foo/bar is directed to /index.php, requesting /index.php/%22%E3E… can get your following data outside the form tag.

And as for the second question: click here.

answered May 21 '11 at 10:37

Gumbo

643,351
109
780
844

PHP_SELF and XSS

2 Answers2