[nycphp-talk] $_SERVER['PHP_SELF'} not working?
Chris Shiflett
shiflett at php.net
Thu Jul 21 12:10:52 EDT 2005
csnyder wrote:
> This also means that if you use $_SERVER['PHP_SELF'] as the url for a
> <form> action, you'd better make sure you filter it using
> htmlentities(). One urlencoded doublequote would open you up to a
> cross-site scripting attack.
Yep, and this is discussed here:
http://blog.phpdoc.info/archives/13-XSS-Woes.html
As Dan pointed out, the default action is the current URL anyway.
Chris
--
Chris Shiflett
Brain Bulb, The PHP Consultancy
http://brainbulb.com/
More information about the talk
mailing list