[thelist] input type="image" vs. input type="button"
Phil Turmel
philip at turmel.org
Thu Aug 24 17:06:32 CDT 2006
Christian Heilmann wrote:
>>>It seems to me you are trying to solve a problem that won't exist ...
>>>once your link looks like this...
>>>
>>>http://example.com/product.php?productid=1
>>>
>>>... Your html ends up like this:
>
>
> And you are probably VERY vulnerable to XSS. Wouldn't it be nice to
> just take what someone asks for and give a solution for that?
>
> Change your FORM to this:
>
> <form name="quickform" action="send.php" method="post">
> <label for="quickpicks">Select a topic:</label>
> <select name="quickpicks">
> <option value="selected">Tell me more about...</option>
> <option value="product1.php">Product One</option>
> <option value="product2.php">Product Two</option>
> <option value="product3.php">Product Three</option>
> <option value="product4.php">Product Four</option>
> <option value="product5.php">Product Five</option>
> </select>
> <input type="image" src="go.gif" alt="go" />
> </form>
>
> and send.php:
>
> <?php header('Location:'.$_POST['quickpicks']);?>
>
> You can then add a JavaScript that makes sure the first choice isn't
> picked, or rather get rid of it.
>
Christian,
Nothing I recommended suggested or requires echoing part of the form
submission back to the browser, a basic starting point for
cross-site-scripting attack. If using a single script with a query part
to pick one of several pages to serve is inherently vulnerable to XSS
without any other action, millions of CMS users are screwed.
You, on the other hand, gave a PHP example that is in fact vulnerable to
header injection for users of PHP prior to version 4.4.2 and 5.1.2. A
malicious visitor could post a multi-line value to 'quickpicks' and they
are IN.
If I'm wrong, please enlighten me.
However, you are correct that I did not give a sufficiently complete
answer. So...
Jono,
Assuming all your temporary pages can have numerical suffixes, here's a
quick and dirty temporary script for your 'product.php' that redirects
to your existing pages until you get a DB running:
<?php
/* Go back home (or wherever else) if they hit "GO"
without picking something from the drop down */
if ($_GET['productid']=='selected') {
header('Location: /');
exit;
}
/* Go the product page based on the select value */
header('Location: product'.intval($_GET['productid']).'.php');
?>
Phil
More information about the thelist
mailing list