I have this kind fo redirects now
Redirect::to(htmlspecialchars('home.php'));
but when I type this on my home.php: /%22%3E%3Cscript%3Ealert('hacked')%3C/script%3E
but why ? they said that it will converted so the exploit attempt will be a failure, but why in mine it is not ?
htmlspecialchars
encodes special characters to their HTML equivalent in a string which is passed by argument. Your Code
Redirect::to(htmlspecialchars('home.php'));
only encodes the string home.php
and pass it to the Redirect::To
-Function and does not use htmlspecialchars on the output of the whole page.
To solve this, you have to use it on every output in home.php
like this:
<?php
$new = htmlspecialchars("<a href='test'>Test</a>", ENT_QUOTES);
echo $new; // <a href='test'>Test</a>
?>
(Example from: http://php.net/htmlspecialchars )
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.