stackoom
  简体   繁体   中英

PHP_SELF and SCRIPT_NAME - XSS attacks edition

 原文  2011-08-05 00:48:08       php/ xss

Question

PHP_SELF opens up a page to XSS attacks when code such as echo $_SERVER['PHP_SELF'] is included, but what about SCRIPT_NAME ? Since it does not include path info, is this safe to use? I know you can use htmlentities and other similar functions to sanitize but I'd rather avoid the extra function call.

I'm quite sure that it would be safe to use but I'd like the reassurance of the SO community :)

1 answers

solution1
 2 ACCPTED  2011-08-05 00:53:59

As good practice, you should always protect against any variables from $_SERVER, $_GET, $_POST etc. 

$str = filter_var($input, FILTER_SANITIZE_STRING);

A simple way to sanitize a string, or you can use htmlentities. I create a class that I use when returning any variables from $_SERVER, $_GET and $_POST.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Difference between: $_SERVER['SCRIPT_NAME'] and $_SERVER['PHP_SELF'] SCRIPT_NAME and PHP_SELF with mod_rewrite in .conf PHP_SELF vs PATH_INFO vs SCRIPT_NAME vs REQUEST_URI What's the difference between $_SERVER['PHP_SELF'] and $_SERVER['SCRIPT_NAME']? PHP_SELF and XSS PHP XSS command when using $_SERVER['PHP_SELF'] How is SCRIPT_NAME dangerous in PHP? $_SERVER['SCRIPT_NAME''] in PHP-CGI ? ReCaptcha and php_self work with PHP_SELF
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM