[nycphp-talk] Form action submission trickery
John Campbell
jcampbell1 at gmail.com
Fri Nov 30 12:46:40 EST 2007
An empty URI, is a valid URI that just means the current URI. It is
perfectly safe. I use it on most every method="post" form, it doesn't
make sense if method="get"
see:
http://www.ietf.org/rfc/rfc2396.txt
section 4.2
> (Which leads to the question, is PHP_SELF safe to use, or should you escape it?)
Of course you have to escape it. Type the following into Google <a
href="javascript:alert('hello world')"> and notice how many times it
appears in the html - url, input box, pagination etc.
Cheers,
John Campbell
More information about the talk
mailing list