hariskar Posted September 2, 2016 Share Posted September 2, 2016 In this example if I put in the fields: <script>location.href('http://www.hacked.com')</script> , it gives as my input: <script>location.href('http://www.hacked.com')</script>hariskar@gmail.com<script>location.href('http://www.hacked.com')</script><script>location.href('http://www.hacked.com')</script> Since there is htmlspecialchars() here function test_input($data) { $data = trim($data); $data = stripslashes($data); $data = htmlspecialchars($data); return $data; shouldn't it return HTML escaped code? Also since we have htmlspecialchars() in function test_input mentioned above, why do we also have htmlspecialchars() in form action: action="<?php echohtmlspecialchars($_SERVER["PHP_SELF"]);?>" ? Couldn't we put something like this as form action: action="form-page.php" Thank you! Link to comment Share on other sites More sharing options...
davej Posted September 2, 2016 Share Posted September 2, 2016 What are you expecting it to print? It replaces special characters with entities such as described here... http://www.w3schools.com/charsets/ref_html_ascii.asp The global PHP_SELF is vulnerable to hacks. If you enter the actual file name then there is no risk. 1 Link to comment Share on other sites More sharing options...
dsonesuk Posted September 2, 2016 Share Posted September 2, 2016 Check out firebugs 'Net' tab for post then response, the response will show as encoded, such as '< >' as < > If you wish to see this tags from output use $data = htmlentities($data); 1 Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now