问题
Looking at an old code of a client, he's using
<form action="<?php echo $_SERVER['PHP_SELF']; ?>" />
I was wondering if it was subject to XSS, but when I try :
form.php"><script>alert('xss');</script>=> 404 NOT FOUND from Apacheform.php/"><script>alert('xss');</script>=> 404 From my app
I must specify that I also use ?action=specific_page in the url for its normal use.
Does that mean no XSS is possible using PHP_SELF or does that mean I'm trying it the wrong way?
回答1:
If your form is at form.php script, try accessing it with an url in the browser like http://yoursite.com/form.php/"><script>alert('XSS')</script> to see if it is vulnerable to injection.
If it doesn't do anything, your configuration prevents this, at least for this specific file.
(Of course, you should use something like htmlspecialchars($_SERVER['SCRIPT_NAME']) anyway.)
来源:https://stackoverflow.com/questions/13247997/serverphp-self-vulnerability-not-working