PHP: <script> tag echoed from $_POST is mysteriously blocked

Question

I'm trying to test information I learned regarding PHP security. I have a simple HTML5 page with a POST form and a single textarea input, where I input the following JS code:

<script>var x = 5; alert(x);</script>

In the receiving PHP page, I simply echo $_POST['varname']; to see the JS code executed. This is of course the first step in trying to sanitize the input.

...but it doesn't work! The HTML code I get back is literally

<doctype html>
<html>
<body>
<script>var P = 3; alert(P);</script></body>
</html>

... but the alert doesn't run! the more curious thing is that when I copy the code as it is into the PHP file and let it just return this code without using PHP, it doesn't run again, but then if I change the name of the variable or its value - it runs!

This happens both on Chrome and Safari. I checked out the sent and received headers and could not find anything suspicious.

Does anyone know what is this weird voodoo magic? because I'm losing my mind here.

Answer 1

I run your code and on the chrome's console it says

"Refused to execute a JavaScript script. Source code of script found within request."

So It might be a natural security measure, nothing wrong with the code.

The behaviour may vary from browser to browser because of the different approaches from them

Answer 2

Found the solution. This is a security feature of WebKit itself - that is why both Chrome and Safari had it. To prevent certain forms of XSS attacks, it blocks the page from executing JS code that was sent in the request header. The way to bypass this is to send the response header

x-xss-protection: 0

and now all my fake malicious code works maliciously well.