I've often heard that JavaScript is a tool of evil, but I've never exactly known the full capabilities of it's evilness.
What I'd like to know is what damage a person could do if this happened:
We have a page, that accepts POST parameters, and then outputs them onto the page without cleaning them (it doesn't do anything else with them). That means that the user can put arbitrary data on the page, but no one else can view it. Is this a security hazard? And if so, how would one exploit it?
User Sets Arbitrary Data on Page, but Only they can View it?
Moderator: General Moderators
- Ambush Commander
- DevNet Master
- Posts: 3698
- Joined: Mon Oct 25, 2004 9:29 pm
- Location: New Jersey, US
- Ambush Commander
- DevNet Master
- Posts: 3698
- Joined: Mon Oct 25, 2004 9:29 pm
- Location: New Jersey, US
Sooo....
would be "relatively" safe?
Code: Select all
<?php
echo $_POST['user'];
?>- John Cartwright
- Site Admin
- Posts: 11470
- Joined: Tue Dec 23, 2003 2:10 am
- Location: Toronto
- Contact:
- Ambush Commander
- DevNet Master
- Posts: 3698
- Joined: Mon Oct 25, 2004 9:29 pm
- Location: New Jersey, US