|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
[2004-08-08 12:47 UTC] grangeway at blueyonder dot co dot uk
Description: ------------ Bug #24024 discusses the fact that _SERVER["argv"], does not convert html entities e.g. < to < as phpinfo() is a debugging tool, and is marked as bogus. If this is the case, and content should not be escaped as phpinfo is for debugging, then: _SERVER["QUERY_STRING"]</td><td class="v">test=<script>alert()</script></td></tr> should not escape < to < and should be consistent with the behaviour of _SERVER['argv']. At the moment, _SERVER['argv'] and GET['test'] / _SERVER["QUERY_STRING"]</ etc show different representations of the same string, where in reality the value is the same. Expected result: ---------------- Ideally All strings should be escaped. If not (i.e. if this would hinder debugging), then no strings should be escaped so that the output of any string in phpinfo matches the expected value given when running var_dump on the variable. PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
|
|||||||||||||||||||||||||||
Copyright © 2001-2024 The PHP GroupAll rights reserved. |
Last updated: Fri Aug 16 08:01:28 2024 UTC |
In case you don't believe me, try doing: test[0]=<script>alert("Hello")</script> and you will see exactly the same non-escaping in GET and QUERY_STRING. So it is quite consistent in that array elements are not escaped when displayed. I may fix that, but it still doesn't change the fact that phpinfo() is a debugging function whose very content is insecure. XSS is the least of your problems if you expose this output to the world.