1

I have written a code for redirecting the page on submitting the form. I have a drop down and textbox in that form. I typed </script> as input for the textbox , which had lead to normal excution but with ); on screen.

this is what i got from my firebug tool

<script type="text/javascript">
loadSearch('Customer','
</script>
');

PHP CODE for submit

<?php
if($_POST['searchButton']){
    echo "<script type='text/javascript'>loadSearch('".$_REQUEST['search_details']."','".$_REQUEST['search_input']."'); </script>";
}
?>

JAVASCRIPT

function loadSearch(selM,selK){
    document.location.href="index.php?pg=search&selM="+selM+"&selK="+selK;
}//loadSearch

Note: $_REQUEST['search_input'] is the textbox and if the textbox is given with </script> as input

Improve this question
5
  • I have no idea what you are asking here. Please improve your question. Commented Jan 12, 2015 at 10:47
  • I tried to edit your question so it is at least clear what is text and what is code, but still the first paragraph is a mess, and I don't know which of those ) and ; are part of the question. Please edit this, put inline code fragments in backticks, and rephrase the question. Commented Jan 12, 2015 at 10:48
  • @Chilion shouldn't it be the question? Commented Jan 12, 2015 at 10:49
  • 1
    You have neither described a problem nor asked a question. How can we help you? Commented Jan 12, 2015 at 10:49
  • @Shikhar Bhardwaj Yep. Changed, tnx! Commented Jan 12, 2015 at 10:50

3 Answers 3

Reset to default
2

There is a severe vulnerability in you server side code. You should always clean strings which arise from user inputs using methods like htmlspecialchars.

Replace :

$_REQUEST['search_details']

and

$_REQUEST['search_input']

With :

htmlspecialchars($_REQUEST['search_details'], ENT_QUOTES, 'UTF-8')

and

htmlspecialchars($_REQUEST['search_input'], ENT_QUOTES, 'UTF-8')

Not doing this can make your website vulnerable where a malicious user could include scripts to snoop on your users. What this function does is convert special characters like < to html HTML character entities like &lt; so that it can't be interpreted as code by the browser on the client side.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

htmlspecialchars() is not the right tool for this job. The values will be incorrectly interpreted in the JavaScript.
0

The problem is that you are dumping the request values into your page without doing any escaping of them. Since this is JavaScript, one quick fix is to use json_encode() to encode the values as JSON:

<?php
if($_POST['searchButton']){
    echo "<script type='text/javascript'>loadSearch(".
           str_replace(json_encode($_REQUEST['search_details']), '<', '\x3C') . ", " .
           str_replace(json_encode($_REQUEST['search_input']), '<', '\x3C').
           ");</script>";
}
?>

Also, your function should be using encodeURIComponent():

function loadSearch(selM,selK){
    document.location.href="index.php?pg=search&selM="+
                           encodeURIComponent(selM) + "&selK=" + 
                           encodeURIComponent(selK);
}

But the question remains: if what you really want to do is redirect the user to a search page, why are you using this roundabout script approach in the first place? Why not just do a redirect directly from your PHP?

Improve this answer

5 Comments

@NMN Did you delete the ' (single quote) before and after the part for search_input? You'll need to do that.
redirection is happening;but the url becomes /index.php?pg=search&selMod=Customer&selKey="<%2Fscript>"; i want it as /index.php?pg=search&selMod=Customer&selKey=</script>;
@NMN The %2F is expected. That is the correct way to represent the value / in a URL query value. Regarding the pair of quotes that you are seeing there, I ask again, did you make sure to remove the two 's before and after the search_input part?
yes;i used the json_decode when displaying in the textbox
@NMN Can you paste the current PHP code that you are trying into pastebin or something so that I can have a look?
0

\Why do you not consider to use plain javascript without any php?

<input type="text" id="selM">
<input type="text" id="selK">
<input type="button" onclick="loadSearch(document.getElementById('selM').value,document.getElementById('selK').value);">
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.