Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Mainly cause by using $_SERVER['PHP_SELF'] to get Current script name Reference: https://stackoverflow.com/questions/6080022/php-self-and-xss
Here is a example(No login required): The payload here is: /"><script>alert(/xss/)</script><a="
/"><script>alert(/xss/)</script><a="
You should know that you have used this kind of method so many times.
Actually, you can use $_SERVER['SCRIPT_NAME'] to replace it.
$_SERVER['SCRIPT_NAME']
or use htmlspecialchars() filter.
The text was updated successfully, but these errors were encountered:
f00f1da
Thanks for reporting this @CBiu !
Sorry, something went wrong.
No branches or pull requests
Mainly cause by using $_SERVER['PHP_SELF'] to get Current script name
Reference: https://stackoverflow.com/questions/6080022/php-self-and-xss
Here is a example(No login required):


The payload here is:
/"><script>alert(/xss/)</script><a="You should know that you have used this kind of method so many times.
Actually, you can use
$_SERVER['SCRIPT_NAME']to replace it.or use htmlspecialchars() filter.
The text was updated successfully, but these errors were encountered: