I have been doing some testing with XSS and I created a simple form with one text input and the php at the top of the page echoes out the value, like this:
<!doctype html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>Mysite</title>
</head>
<body>
<?php if(isset($_POST['name'])) {
$name = $_POST['name'];
echo $name;
}
?>
<form action="" method="post">
<input type="text" name="name"/>
<input type="submit" value="Submit" />
</form>
</body>
</html>
I entered a javascript code in the text input like this:
<script type="text/javascript">alert('XSS!');</script>
When I do this in Google Chrome I get nothing, no output, no alert box and no errors. But when I view it in Internet Explorer I get the alert box as expected.
Why is this happening?
Chrome has a built in xss filter:
http://blog.securitee.org/?p=37
and
https://security.stackexchange.com/questions/16247/does-google-chrome-protect-against-cross-site-scripting-xss
because this is what you are printing.. no browser should protect that(or you shouldn't rely on that).. you have to convert all html by yourself :) html encode it...
Related
I want to echo the textarea value with PHP, so I create a simple form with HTML, and inside it I include textarea element with name of b64_place and then input to submit the values.
I check if b64_place is set, and if it is I echo the value of the textarea. But my program doesn't even get into the condition block, I try debugging and it is just not doing nothing.
<!DOCTYPE html>
<html lang="en">
<head>
<title>Document</title>
</head>
<body>
<form action="index.php" method="GET">
<textarea name="b64_place" form="encode">Enter text here:</textarea>
<input type="submit" value="Encode">
</form>
<?php
if (isset($_GET['b64_place'])) {
$base64e_text = htmlspecialchars($_GET['b64_place']);
echo $base64e_text;
}
?>
</body>
</html>
Your textarea contains an attribute form This attribute is used to define the id of the form this input is attached to. So, when you submit the form, the textarea isn't bound with that form and the datas aren't send
You can either add an id to the form :
<!-- check this ----------------------v---------v -->
<form action="index.php" method="GET" id="encode">
<textarea name="b64_place" form="encode">Enter text here:</textarea>
<input type="submit" value="Encode">
</form>
or simply remove the form="encode"
Edit based on suggestion from senior SO members,
The reason i recommend you to change the method to POST is because of the length limit of the GET method. At some point you may want to encode very large data and it may get trimmed of because of URL length limit. But with POST you don't have to worry about this restriction.
Steps to solve your issue.
If your Form and your PHP code is in the same file changethe action="index.php" to action="" and change the method="GET" to method="POST"
In text area use placeholder to tell the user what to input instead of writing it between the tags.
change $_GET to $_POST everywhere in your code.
You can copy the following code into the index.php and it will work fine.
<!DOCTYPE html>
<html lang="en">
<head>
<title>Document</title>
</head>
<body>
<form action="" method="POST">
<textarea name="b64_place" placeholder="Enter text here:"></textarea>
<input type="submit" value="Encode">
</form>
<?php
if (isset($_POST['b64_place'])) {
$base64e_text = htmlspecialchars($_POST['b64_place']);
echo $base64e_text;
}
?>
</body>
</html>
this is the code for my html page in the site:
<!doctype html>
<html>
<head>
<meta charset="utf-8">
<title>index</title>
</head>
<body>
<html>
<body>
<form action="Untitled-4.php" method="get">
Name: <input type="text" name="name"><br>
E-mail: <input type="text" name="email"><br>
<input type="submit">
</form>
</body>
</html>
</body>
</html>
and this is my code for the "Untitled-4.php" file:
<html>
<body>
<?php
if ($_GET["name"] == "tom"){
echo "hello you are special";
}
?>
</body>
</html>
this is the error i am getting:
"undefined index on line 7 of the php file"
I am trying to use the GET method to take whatever the user types in the "name" box to be used in the if statement that echoes "you are special" if the user types in "tom". can anyone tell me what the problem here is.
(the question stack overflow is saying is a possible duplicate is a completely different question)
Check if the variable is set first:
<html>
<body>
<?php
if (isset($_GET["name"])) {
if ($_GET["name"] == "tom"){
echo "hello you are special";}
} else {
echo "you are not special";
}
?>
</body>
</html>
for some reason i just tried it again with no changes to my code and it appears to be working i did not actually have to do anything.
I have a textarea that users can edit. After the edit I save the text in a PHP variable $bio. When I want to display it I do this:
<?php
$bio = nl2br($bio);
echo $bio;
?>
But if a user for example types an HTML command like "strong" in their text my site will actually output the text as bold. Which is nothing I want.
How can I print/echo the $bio on the screen just as text and not as HTML code?
Thanks in advance!
Replace echo $bio; with echo htmlspecialchars($bio);
http://php.net/htmlspecialchars
When you output text to the html / the browser and you want to make sure that the output does not break the html, you should always use htmlspecialchars().
In your case you do want to show the <br> tags, so you should do that before you add them:
$bio = nl2br(htmlspecialchars($bio));
You can also use strip_tags() to get rid of the html tags altogether, but you would still need to use htmlspecialchars() so that for example a < character will not break your html.
You can also use htmlentites()
<!DOCTYPE HTML>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title></title>
</head>
<body>
<form method="POST" action="">
<p><textarea rows="8" name="bio" cols="40"></textarea></p>
<p><input type="submit" value="Submit"></p>
</form>
<p>Result:</p>
<?php echo isset($_POST['bio']) ? htmlentities($_POST['bio']) : null; ?>
</body>
</html>
So like:
I have following codes
<html>
<head>
<title>Javascript function </title>
<style type="text/css">
.box
{
width:400px;
background-color:#F0F8FF;
}
h4
{
color:#09F
}
</style>
<script type="text/javascript">
function hello(){
var xx=eval(form1.text1.value);
var yy=eval(form1.text2.value);
form1.text3.value=xx+yy
}
</script>
</head>
<body onLoad="form1.text1.focus()">
<center>
<div class="box">
<h1 style="color:#2c80d3 ">Javascript Function</h1>
<table border="0" cellspacing="1" cellpadding="1" width="25%">
<form name="form1" action="textboxes.php" method="Post">
<tr><td> First</d><td width="20px"><input type="text" name="text1" value=""></td></tr>
<tr><td> Second</d><td><input type="text" name="text2" value="" onBlur="hello()"></td></tr>
<tr><td> Result</d><td><input type="text" name="text3" value="" disabled=""></td></tr>
</form>
</table>
<h4>Enter any digit in text1 and text2 and see result in text3</h4>
<h4>Is it possible to do above with php without submitting FORM?</h4>
</div>
</center>
</body>
</html>
No problem, It works fine.
I used java script to sum two numbers.
Is it possible to add two numbers with php without using any submit button?
If yes then please guide me.
http://i41.tinypic.com/2rfev7m.jpg
If you want to do it without a submit button and in php, you can use an AJAX request in javascript to the server, which will compute to value and then return it to the client.
here is the working sample.
First of all we need to create a html file named add.html.
here is the code of the add.html file…
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Addition</title>
</head>
<body>
<form action="result.php" method="post">
Enter first Integer: <input type="text" name="first" size="5" /><br/>
Enter second Integer: <input type="text" name="sec" size="5" /><br/>
<input type="submit" name="submit" value="Add" />
</form>
</body>
</html>
place it in the pseudo server folder. If your pseudo server is WampServer, then the path of the file will be
C:/wamp/www/add.html
now open your favorite browser and to the address bar type
localhost/add.html
You can see the add.html page. add with number
You can see two text box where you can input the numbers and a submit button. You can input two numbers into the input boxes and press the submit button (The Add button). But nothing will happen. Because the php will do the adding job.
Lets create the php file. You can name it result.php. As I have already declared in the add.html form action is the result.php.
<form action="result.php" method="post">
if you give different name of the php file then please change the form action php name in add.html.
Here is the php code of result.php…
<?php //Starting of php
$first = $_POST['first']; //Getting Value of first integer from add.html
$sec = $_POST['sec']; //Getting Value of Second integer from add.html
$res = $first + $sec; //Adding the two values and placing the added result to 'res' variable
echo 'Added Result:';
echo $first." + ".$sec." = ".$res; //Showing the result to the screen
//Ending of php
?>
save this result.php file in the server path where you have already placed the add.html file.
Now it is the time to test. Open your favorite browser and in the address bar type…
localhost/add.html
enter two numbers and hit the Add button. you will see that the browser will direct you to the result.php page where you can see the added result.
hope this will help you.
In a form I have an <iframe> that contains a PHP file (editor.php). This PHP file contains an HTML form.
Well, when I do a "submit form", I call the same PHP file, for example main.php.
When I press the submit button, I have "onclick method" that it calls a Javascript function inside editor.php. This function executes the form.
My problem is that main form is executed correctly but the second form is not.
In the second loop of the form of editor.php receives nothing.
**Check this way it will work as you expected**
//main.php
<html>
<head>
<script type="text/javascript">
function validateMain()
{
alert('main');
}
function validateSub()
{
alert('sub');
}
</script>
</head>
<body>
<form id="main" onsubmit="return validateMain();">
<input type="text" name="first" id="first"/>
<input type="submit" value="Submit Main"/>
</form>
<iframe name="ifr-form" id="ifr-form" src="test.html"></iframe>
</body>
</html>
//test.html the second form included through iframe
<!DOCTYPE html>
<html>
<head>
<title></title>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<div>
<form id="sub" onclick="return window.top.validateSub();">
<input type="text" name="first" id="second"/>
<input type="button" value="Submit Sub" />
</form>
</div>
</body>
</html>
you must check if php and iframe are compatible, as far as i Know I don't think that frames and php gives any output, hope this helps.