1 <html> 2 <form action="" method="post"> 3 <input type="text" name="xss_input"> 4 <input type="submit"> 5 </form> 6 <?php 7 if(isset($_POST['xss_input'])){ 8 $xss = $_POST['xss_input']; 9 unset($_POST['xss_input']); 10 echo "<h1>你输入的字符为<br>$xss</h1>"; 11 } 12 ?> 13 </html>
If you the form's action is null, it will refresh the current page,request the current php.
Key:
<script>alert("haha");</script>
<html>
<form action="" method="post">
<input type="text" name="xss_input">
<input type="submit">
</form>
<h1>你输入的字符为<br><script>alert("haha");</script></h1>
</html>
==================================================
<html> <form action="" method="post"> <input type="text" name="xss_input"> <input type="submit"> </form> <?php if(isset($_POST['xss_input'])){ $xss = $_POST['xss_input']; echo "<textarea>你输入的字符为$xss</textarea>"; } ?> </html>
Key:
</textarea><script>alert("haha");</script><textarea>>
The main point of xss is to take advantage of server's echo.
The main point of knowledge is to realize that html is generated by server,it's just strings !
The power of xss is the power of javascript.The more privilege we give to js,the more dangerous xss is.
How to prevent xss?
echo "<textarea>".htmlspecialchars("你输入的字符为$xss")."</textarea>";
881
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
