http://www.webadminblog.com/index.php/2010/02/23/a-xss-vulnerability-in-almost-every-php-form-ive-ever-written/ Real Web Admins. Real World Experience. Mon, 23 Aug 2010 03:12:50 +0000 hourly 1 http://wordpress.org/?v=3.0.1 http://www.webadminblog.com/index.php/2010/02/23/a-xss-vulnerability-in-almost-every-php-form-ive-ever-written/comment-page-1/#comment-578 pgl Tue, 02 Mar 2010 09:17:28 +0000 http://www.webadminblog.com/?p=401#comment-578 (Incidentally, if you want a script to post back to itself, it's easier just to leave out the action="" part altogether in your tag). (Incidentally, if you want a script to post back to itself, it’s easier just to leave out the action=”" part altogether in your tag).

]]> http://www.webadminblog.com/index.php/2010/02/23/a-xss-vulnerability-in-almost-every-php-form-ive-ever-written/comment-page-1/#comment-577 pgl Tue, 02 Mar 2010 09:16:12 +0000 http://www.webadminblog.com/?p=401#comment-577 But... index.php" isn't a valid URL? But… index.php” isn’t a valid URL?

]]> http://www.webadminblog.com/index.php/2010/02/23/a-xss-vulnerability-in-almost-every-php-form-ive-ever-written/comment-page-1/#comment-573 Rasmus Fri, 26 Feb 2010 05:39:45 +0000 http://www.webadminblog.com/?p=401#comment-573 Ernest, you just described http://php.net/filter which lets you set a default filter that is applied to all user data. Ernest, you just described http://php.net/filter which lets you set a default filter that is applied to all user data.

]]> http://www.webadminblog.com/index.php/2010/02/23/a-xss-vulnerability-in-almost-every-php-form-ive-ever-written/comment-page-1/#comment-572 Ernest Wed, 24 Feb 2010 19:46:37 +0000 http://www.webadminblog.com/?p=401#comment-572 Yeah, seems like there should be an almost automatic routine to scrub all that "other" user input before it even gets put into the variables. All HTTP headers, cookies... Anything else from the HTTP request you're tempted to use like user-agent all suffer from the same problem. Yeah, seems like there should be an almost automatic routine to scrub all that “other” user input before it even gets put into the variables. All HTTP headers, cookies… Anything else from the HTTP request you’re tempted to use like user-agent all suffer from the same problem.

]]> http://www.webadminblog.com/index.php/2010/02/23/a-xss-vulnerability-in-almost-every-php-form-ive-ever-written/comment-page-1/#comment-571 Josh Wed, 24 Feb 2010 13:40:15 +0000 http://www.webadminblog.com/?p=401#comment-571 When my application vulnerability scanner found the vulnerability I started searching around in Google and that was the very first page that came up and how I figured out the fix for the issue. Big thanks to Sean for writing that and everyone who commented on it afterward. An excellent blog post. When my application vulnerability scanner found the vulnerability I started searching around in Google and that was the very first page that came up and how I figured out the fix for the issue. Big thanks to Sean for writing that and everyone who commented on it afterward. An excellent blog post.

]]> http://www.webadminblog.com/index.php/2010/02/23/a-xss-vulnerability-in-almost-every-php-form-ive-ever-written/comment-page-1/#comment-570 anonymous Wed, 24 Feb 2010 11:14:48 +0000 http://www.webadminblog.com/?p=401#comment-570 http://seancoates.com/xss-woes http://seancoates.com/xss-woes

]]>