NYCPHP Meetup

NYPHP.org

[nycphp-talk] Form action submission trickery

John Campbell jcampbell1 at gmail.com
Fri Nov 30 12:46:40 EST 2007


An empty URI, is a valid URI that just means the current URI.  It is
perfectly safe.  I use it on most every method="post" form, it doesn't
make sense if method="get"

see:
http://www.ietf.org/rfc/rfc2396.txt
section 4.2

> (Which leads to the question, is PHP_SELF safe to use, or should you escape it?)

Of course you have to escape it.  Type the following into Google  <a
href="javascript:alert('hello world')"> and notice how many times it
appears in the html - url, input box, pagination etc.

Cheers,
John Campbell



More information about the talk mailing list