As I understand it, href can be exploited inside an anchor like so:
Code: Select all
<a href="?idx=<?php echo $idx; ?>&key=<?php echo $key; ?>">This is a safe link click me</a>By not escaping/htmlspecialchars the the $key and allowing characters like single quote it's possible an attacker might try to hault normal href sequence.
Code: Select all
$key = "O'Brien"; // Expected inputCode: Select all
<a href="?index=<?php echo $idx; ?>&<?php echo $key; ?>">Safe Url Click Me</a>The worst I can see happening is the attacker being able to add other GET name=value pairs which should have no ill-effect on my the client. As for getting any javascript to execute...nothing.
So I ask, can someone show me how XSS exploits occur if the href is prefixed with a '?'
I can see in situations like below causing potential problems:
Code: Select all
<a href="<?php echo $_SERVER['PHP_SELF'] ?>?idx=$idx">Potential Problems</a>Cheers