Is $_SERVER['QUERY_STRING'] safe from XSS?

Question

I need to construct a form who\'s action takes you back to the exact same page - GET parameters included. I\'m thinking I can say something to the effect of:

Answer 1

If it's exploitable by XSS, first you need to know which attack. In the code posted here there is just one simple attack using the PHP_SELF.

But, to avoid any problem you could just leave the form action in blank. This will send the form to the same page including the query string.

Answer 2

This is another one of those instances where using PHPs filter_input is the way to go. My IDE NetBeans (hate it or love it) always complains whenever I open code that accesses $_POST, $_GET, $_SERVER and $_COOKIE directly without going through filter_input.

This is because of the reasons stated above - you're saying that you trust external data, when, if it can entered or manipulated by users, you cannot.

filter_input(INPUT_POST, 'id', FILTER_SANITIZE_NUMBER_INT);
filter_input(INPUT_SERVER, 'QUERY_STRING', FILTER_SANITIZE_STRING);

Read more here

Answer 3

You should never trust $_SERVER['QUERY_STRING'] as it can be used for XSS attacks.

In your case, one could exploit the vulnerability with:

http://your.server.com/your_script.php?"><script>alert(111);</script>

Note that the code above works on IE; FireFox and Chrome efficiently encode the query string before sending it to the web server.

I would always wrap it with htmlentities (mind the double_encode parameter) as with every user input.

Good luck!

Answer 4

First of all, you can not trust $_SERVER['PHP_SELF'] (1) - use $_SERVER['SCRIPT_NAME'] instead.

As for $_SERVER['QUERY_STRING'], you should treat it as any other user input. Filter it before using it in your output. I would not recommend some sort of a general filter in this case. It would be better to reassemble the query string from specific pieces you expect to be there.

Answer 5

I can't think of any attacks that would work off-hand, but PHP_SELF itself is vulnerable and you're using QUERY_STRING without any filtering whatsoever, which seems odd.

Why not just leave the action parameter blank and let the browser decide? You can use Javascript to properly enforce this behaviour on the client-side if you want to be doubly sure.