Am using
<form action="<?php echo htmlspecialchars(Uri::getInstance()->toString()); ?>" method="post"
name="adminForm" id="adminForm">
However, theres dynamic link which is generated like on clicking link as
https://www.mywebsite.com/index.php?option=com_rsform&formId=1&form[car]=Honda&form[Model]=City%20Hybrid%20e%20HEV
Due to above code for htmlspecialchars link on clicking is just refresing the page. I understand the purpose of htmlspecialchars for security
Any workaround solution that the dynamic link as generated can be executed.
I'm trying to send a POST request with part of the webpage URL as the parameter. For instance, in this url:
http://testsite.com/confirmEmail/?token=abcdefg
I want to be able to send the input token with the value abcdefg. I want to make this responsive to different token values. Any ideas?
Thanks
This answer is assuming they will do some action on this page, otherwise you would want a redirect.
<?php
$token=$_GET['token'];
?>
<form method="POST">
<input type="hidden" name="token" value="<?php echo htmlentities($token, ENT_QUOTES);?>" />
<!--other form fields and submit button here-->
</form>
UPDATE:
This was a simple answer, to be easily understood, but of course echoing out a get variable straight from the url opens you up to xss. Someone edited my answer to strip quotes from that variable but htmlentities() is also vulnerable to xss. I believe the appropriate function nowadays is htmlspecialchars($token, ENT_QUOTES, "UTF-8"). If you go this route, you need to be careful about which encoding & characters you put in your tokens now, so they aren't stripped, which would probably break your verification process. Looks like it's numeric in the example, so you should be ok. Also remember someone could still post a modified form, so you need to sanitize this token field to prevent injections, but hopefully that's not relevant to this question.
when the url is localhost/school/portfolio/contact.php it works fine, but when I use a get parameter index.php?page=contact it redirects to index.php
The code I use
$url = "http". ((!empty($_SERVER['HTTPS'])) ? "s" : "") . "://".$_SERVER['SERVER_NAME'].$_SERVER['REQUEST_URI'];
header('Location: '.$url."?sent=yes");
What do I have to add?
This should help :)
<form action="<?php echo $_SERVER['PHP_SELF'] ?>" method="post">
Otherwise see my answer on this "How to get base URL with PHP?" Question for more help :)
there are couple of ways to do so.. (choose what suits you..)
1)use $_SERVER['PHP_SELF']
2)Use parse_url() to get PHP_URL_PATH and PHP_URL_QUERY parts, and redirect to relative path.
But it'll better to store redirect links in session.
This seems to be an old thread, but to help the future visitors to this page it is worth adding a comment about security issues with $_SERVER['PHP_SELF'].
If adding $_SERVER['PHP_SELF'] to the form action attribute as suggested in the comments above, you are setting yourself up for XSS attack.
One solution is to wrap $_SERVER['PHP_SELF'] with htmlentities() like so:
<form action="<?php echo htmlentities($_SERVER['PHP_SELF']) ?>" method="post">
This is a good read on the topic:
http://www.html-form-guide.com/php-form/php-form-action-self.html
I've found an article claiming that $_SERVER['PHP_SELF'] is vulnerable to XSS.
I'm not sure if I have understood it correctly, but I'm almost sure that it's wrong.
How can this be vulnerable to XSS attacks!?
<form method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>">
<!-- form contents -->
</form>
To make it safe to use you need to use htmlspecialchars().
<?php echo htmlspecialchars($_SERVER["PHP_SELF"], ENT_QUOTES, "utf-8"); ?>
See A XSS Vulnerability in Almost Every PHP Form I’ve Ever Written for how $_SERVER["PHP_SELF"] can be attacked.
It is indeed a XSS vulnerability. I do understand that you believe it may not harm your website, but this doesn't mean it is not real.
If you do not believe it, try the following:
We assume you have a page such as "registration.php".
We assume you have a form where action is:
<?php echo $_SERVER['PHP_SELF']; ?>
as you put it down indeed:
<form method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>">
<!-- form contents -->
</form>
Now simply append the string below
%27%22/%3E%3Cscript%3Ealert(1)%3C/script%3E
It is not actually hard to understand, because PHP_SELF is a reflection of the URL, your application will read whatever you put in the URL and echo it. It is simple as that.
htmlspecialchars should take care of the matter, no reason to dispute the evidence.
<form method="post" action="<?php echo htmlspecialchars($_SERVER['PHP_SELF']); ?>">
<!-- form contents -->
</form>
However, even this is a first step in stealing a cookie, it's not that it take place automatically. Even if it's quite easy to craft the attack (as the attacker will register on your site and will see how the cookie looks...etc.), a series of other factors must be true to get to the point of having a cookie stealing situation. For instance, the cookie must not be expired. Than it depends of how complex the cookie is. Than maybe you have other precautions in placed on server, it doesn't have to be all authentication based on the presence of cookie!
While I do believe it is rather difficult and really bad programming for all conditions to met (even if yahoo.mail for example had such a vulnerability and if you look on internet you will find even the exploit and the cookie decoder), the XSS is real and who knows what a crafty attacker may do if your site suffer of it. The cure is simple...
The very article you linked gives you:
http://www.example.com/form.php/%22%3E%3Cscript%3Ealert(‘xss attack’)%3C/script%3E%3Cbr%20class=%22irrelevant
what's not clear?
Edit: this is an XSS attack because I can hide a link from my site to yours with some JS added to the URL which sends me your cookies so the moment you click that link, you are pwnd.
You should be using filter_input() to access superglobals in PHP. If you set the filter to FILTER_SANITIZE_FULL_SPECIAL_CHARS it will strip the unsafe characters typically used in XSS. Given your example:
<form method="post"
action="<?php filter_input(INPUT_SERVER, 'PHP_SELF', FILTER_SANITIZE_FULL_SPECIAL_CHARS); ?>">
<!-- form contents -->
</form>
The vulnerability is that a user can enter malicious JavaScript codes in the form. To prevent this, htmlspecialchars function is used.
Predefined characters (like >, <, ", ') are converted into entities(> < etc)
htmlspecialchars($_SERVER["PHP_SELF"]) ensures that all submitted form variables are converted into entities.
To read more about this vulnerability, visit: https://www.w3schools.com/php/php_form_validation.asp
Another link that can help you: https://www.google.com/amp/s/www.bitdegree.org/learn/php-form-validation/amp
I am studying this issue about the PHP_SELF variable and the XSS attack. There is something that I still can't understand: PHP_SELF variable is suposed to reference the name of the script file (the script that is running). Then, why does it take its value from the URL? (allowing the XSS problem).
What is the benefit of using the super global $_SERVER['PHP_SELF']?
$_SERVER['PHP_SELF'] doesn't (or shouldn't) include the domain name. It includes the path component of the url that the script was called from.
Its use is primarily to introduce cross site scripting vulnerabilities.
you can use it to fill in the action attribute of a form tag:
<form method="post" action="<?=$_SERVER['PHP_SELF']?>"></form>
If I then call your page with:
your-file-that-uses-php-self.php/("><script>eval-javascript-here</script>)
where everything in parens is urlencoded then I can inject the code into your page. If I send that link to somebody else, then I'm executing that code in their browser from your site.
Edit:
To make it safe against XSS attacks, use htmlspecialchars:
<form method="post" action="<?php echo htmlspecialchars($_SERVER['PHP_SELF']); ?>">...</form>
Edit 2: As this $_SERVER variable has been misused so often out there in examples across the internets, don't miss reading your HTML reference: As that URI is the shortest possible relative URI, you can just leave the action attribute empty:
<form action="" method="post" >...</form>