XSS attack to bypass htmlspecialchars() function in value attribute
Posted
by Setzer
on Stack Overflow
See other posts from Stack Overflow
or by Setzer
Published on 2010-05-24T02:35:57Z
Indexed on
2010/05/24
2:40 UTC
Read the original article
Hit count: 814
Let's say we have this form, and the possible part for a user to inject malicious code is this below
... <input type=text name=username value=<?php echo htmlspecialchars($_POST['username']); ?>> ...
We can't simply put a tag, or a javascript:alert(); call, because value will be interpreted as a string, and htmlspecialchars filters out the <,>,',", so We can't close off the value with quotations.
We can use String.fromCode(.....) to get around the quotes, but I still unable to get a simple alert box to pop up.
Any ideas?
© Stack Overflow or respective owner