The page is designed so that entering a , b into the 2 text fields will produce the same page with "Welcome b, a." written on the bottom.
Entering "a" , "b" results in:
Welcome \"b\", \"a\".
Entering 'a' , 'b' results in:
Welcome \'b\', \'a\'.
as a side note, backslash is also anti-escaped, i e:
Entering \a\ , \b\ results in:
Welcome \\b\\, \\a\\
Thus, when entering <script>alert(document.cookie);</script> it works fine, but entering <script>alert("abc");</script> results in an error due to the script becoming <script>alert(\"abc\");</script>
This shouldn't be happening as the code doesn't do any sort of filtering and I have no idea where this is coming from. I would be very grateful if someone can explain why this is happening and if it is possible to actually insert quotes for XSS into it.
Page link for anyone who wants to test it: http://randomsite.net78.net/PHPTesting/ ... esting.php
The site is owned by me and is hosted by a free web-hosting company so feel free to test the page as much as you want.
source code for the page:
- Code: Select all
<!-- Welcome HTS -->
<p>Please enter the following:</p>
<form action="FormInputTesting.php" method="get">
First name: <input type="text" name="fname" /> <br />
Last name: <input type="text" name="lname" /> <br />
<input type="submit" value="Enter" />
if (($_GET["fname"] != null) and ($_GET["lname"] != null))
echo "Welcome ", $_GET["lname"], ", ", $_GET["fname"], ".";