Page 1 of 1

XSS from the url

Posted: Tue Nov 15, 2011 3:27 am
by social_experiment
I did a test on an existing website with the following code for a query string page.php?id=Value<script type="text/javascript">alert('XSS')</script>. Not suprisingly it displays the alert. However, in the php code, i have the following

Code: Select all

<?php
 $value = $_GET['id'];
 // before i use it in the query
 $cleanValue = trim(htmlentities($value, ENT_QUOTES));
?>
Yet even with this, the alert message is still displayed when i load the page.

What am i missing?

Re: XSS from the url

Posted: Tue Nov 15, 2011 5:18 am
by twinedev
what is the code where you are displaying $cleanValue?

Re: XSS from the url

Posted: Tue Nov 15, 2011 5:25 am
by social_experiment
That's my problem then, the results don't use htmlentities() when i display them back to the browser 8O

Re: XSS from the url

Posted: Tue Nov 15, 2011 6:27 am
by twinedev
Do you have any place on the page that echos out $_SERVER['PHP_SELF'] as that will also give the full URL.

Re: XSS from the url

Posted: Tue Nov 15, 2011 6:33 am
by social_experiment
No but when i enter it in the URL i assume it is parsed as part of $_GET['id']; that value is displayed elsewhere on the page