mysql - Html-Entity encoded empty HTML Tag -


can combination of characters, alone in form field, used xss or sql attack, if "html-entity encoded" right @ beginning of php code ?

<>

here simple program shows text value in text field when submit form :

<?php     foreach ($_post &$_http_field) {     $_http_field = htmlentities($_http_field,ent_quotes,'iso-8859-1');   }   foreach ($_get &$_http_field) {     $_http_field = htmlentities($_http_field,ent_quotes,'iso-8859-1');   }  ?>  <html><body>   <form action="/index2.php" name="abcd" method="post">     <input type="text" name="texte" value="<? echo $_post['texte'];?>">    <input type="submit" name="soumission" value="submit">   </form> </body></html>

i'm sure not follow best coding practices in itself, code not seems risky if echo-ed variable in "value" field.

but when try "<>" in text field, web hosting firewall block request sending 403 error.

i'm not specifying document encoding here clarity reasons, in reality document made in iso-8859-1. matches htmlentities function.

<> may not work but

" onmouseover="alert(1)

will succeed rendered as

<input type="text" name="texte" value="" onmouseover="alert(1)">

Comments

Post a Comment

Popular posts from this blog

cakephp - simple blog with croogo -

i not problem, made simple blog in croogo, problem is not adding or modifying or delete, because arabic language ?? function add in controller `public function admin_add() { $this->set('title_for_layout', __('add part')); if (!empty($this->request->data)) { $this->part->create(); if ($this->part->save($this->request->data)) { $this->session->setflash(__('the part has been saved'), 'default', array('class' => 'success')); $this->redirect(array('action' => 'index'));//, $this->part->id)); } else { $this->session->setflash(__('the part not saved. please, try again.'), 'default', array('class' => 'error')); } } }` => model `class part extends appmodel { public $name = 'part'; var $belongst...
Read more

How to group boxplot outliers in gnuplot -

i have large set of data points. try plot them boxplot, of outliers exact same value , represented on line beside each other. found how set horizontal distance between outliers in gnuplot boxplot , doesn't much, apparently not possible. is possible group outliers together, print 1 point , print number in brackets beside indicate how many points there are? think make more readable in graph. for information, have 3 boxplots 1 x value , times 6 in 1 graph. using gnuplot 5 , played around pointsize, doesn't reduce distance anymore. hope can help! edit: set terminal pdf set output 'dat.pdf' file0 = 'dat1.dat' file1 = 'dat2.dat' file2 = 'dat3.dat' set pointsize 0.2 set notitle set xlabel 'x' set ylabel 'y' header = system('head -1 '.file0); n = words(header) set xtics ('' 1) set [i=1:n] xtics add (word(header, i) i) set style data boxplot plot file0 using (1-0.25):1:(0.2) boxplot lw 2 lc rgb '#8b0000...
Read more

bash - Performing variable substitution in a string -

i have string contains use of variable, , i'd substitute variable's value string. right best have is #!/bin/bash foo='$name; echo bar' name="the name" expanded="$(eval echo "$foo")" echo "$expanded" which has obvious defects: prints the name bar while i'd print the name; echo bar instead of eval can bash's regex matching bash's string replacement: foo='$name; echo bar' name="the name" [[ "$foo" =~ \$([[:alnum:]]+) ]] && s="${!bash_rematch[1]}" && expanded="${foo/\$${bash_rematch[1]}/$s}" echo "$expanded" name; echo bar
Read more