ID: 42176 Updated by: [EMAIL PROTECTED] -Summary: security hole in language.variables.external examples Reported By: judas dot iscariote at gmail dot com Status: Open Bug Type: Documentation problem Operating System: irrelevant PHP Version: Irrelevant New Comment:
This is a tough question because this type of example is everywhere and escaping every variable throughout the entire manual gets messy. And do we know of a method that will work with 100% of all cases? Do we use filter, htmlspecialchars, or a custom way? No simple answer (that I know of). I believe this was briefly discussed once and we decided to simply leave it, but, it's worth officially discussing and in need of a creative solution because this is a real problem. Regardless, the security section (and tutorial) must both contain sections that talk about this topic so we may refer to them elsewhere. For example, the following is outdated: http://php.net/manual/en/security.variables Previous Comments: ------------------------------------------------------------------------ [2007-08-02 11:36:44] judas dot iscariote at gmail dot com Description: ------------ the "Example 12.11. More complex form variables" in http://php.net/manual/en/language.variables.external.php contains a security hole. Reproduce code: --------------- says: echo '<a href="'. $_SERVER['PHP_SELF'] .'">Please try again</a>'; <form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post"> as well print_r($_POST)... Expected result: ---------------- manual teaching good practices always, PHP_SELF escaped as well $_POST not printed without escaping Actual result: -------------- a how to permit XSS in your code. ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=42176&edit=1
