Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
517 views
in Technique[技术] by (71.8m points)

php - Is $_SERVER['QUERY_STRING'] safe from XSS?

I need to construct a form who's action takes you back to the exact same page - GET parameters included. I'm thinking I can say something to the effect of:

echo '<form action="'.$_SERVER['SCRIPT_NAME'].'?'.$_SERVER['QUERY_STRING'].
     '" method="post">'

This seems to work, and testing passing a couple XSS attacks seems to be successful, as the output of QUERY_STRING seems to be URL encoded. However the PHP documentation does not mention this, so I'm not confident I can trust this behavior.

Is it safe to use QUERY_STRING the way I am above? If not, what can I do instead? References to documentation would be appreciated.

Update switched to SCRIPT_NAME, just mixed up which one was ok and which was bad in my head, thanks for catching me. action="" does resolve my specific issue nicely, but I'm still curious if QUERY_STRING is pre-processed so it is safe to use or not, since there are other times you might want to re-use the query string, assuming it's safe to do so.

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Answer

0 votes
by (71.8m points)

You should never trust $_SERVER['QUERY_STRING'] as it can be used for XSS attacks.

In your case, one could exploit the vulnerability with:

http://your.server.com/your_script.php?"><script>alert(111);</script>

Note that the code above works on IE; FireFox and Chrome efficiently encode the query string before sending it to the web server.

I would always wrap it with htmlentities (mind the double_encode parameter) as with every user input.

Good luck!


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...