-
Notifications
You must be signed in to change notification settings - Fork 38
Expand file tree
/
Copy pathxss.php
More file actions
24 lines (20 loc) · 661 Bytes
/
xss.php
File metadata and controls
24 lines (20 loc) · 661 Bytes
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
<form method="GET">
<input type="text" name="userParameter" placeholder="type your input" />
<input type="submit"/>
</form>
<?php
#Payload: <script>alert(document.domain)</script>
#Insecure Implementation
if(isset($_GET['userParameter'])){
echo "Value passed is: ".$_GET['userParameter'];
}
/*Secure Implementation
if(isset($_GET['userParameter'])){
echo "Value passed is: ".htmlspecialchars($_GET['userParameter']);
}
*/
#Notes
#Avoid addslashes() since it can be bypassed
#Use HTML Purifier if it's required to accept input from your users
#https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html
?>