I have a dual language site where I get the contents I want based on an lang var I pass to the url e.g. index.php?lang= en or index.php?lang= gr (I pass that variable to a SESSION one so i do not have to write it in each url). So in order to be able to change it I need to get the current URL I am using PHP with
some questions;
a) is $_SERVER['HTTP_HOST'] safe to use without any escaping I mean i do not see how it could be exploited?
b)$_SERVER['REQUEST_URI'] is vulnerable to XSS attacks so lots of people recommend htmlspecialchar s(), however in a wordpress forum a developer wrote
"A naked htmlspecialchar s() won’t protect you completely.
Consider a form with htmlspecialchar s($_SERVER['PHP_SELF']) as the action, enclosed with single quotes. This will defeat it:
"
it seemed valid what do u thing? I always used htmlspecialchar s() with ENT_QUOTES is there something better?
c)to get the current URL and put it to an href after some manipulation you would use PHP or Javascript (in order for the server not to have unecessery load)?
Code:
$protocol = strpos(strtolower($_SERVER['SERVER_PROTOCOL']),'https') === FALSE ? 'http' : 'https'; $host = $_SERVER['HTTP_HOST']; $uri = $_SERVER['REQUEST_URI']; $currurl = $protocol.'://'.$host.$uri;
a) is $_SERVER['HTTP_HOST'] safe to use without any escaping I mean i do not see how it could be exploited?
b)$_SERVER['REQUEST_URI'] is vulnerable to XSS attacks so lots of people recommend htmlspecialchar s(), however in a wordpress forum a developer wrote
"A naked htmlspecialchar s() won’t protect you completely.
Consider a form with htmlspecialchar s($_SERVER['PHP_SELF']) as the action, enclosed with single quotes. This will defeat it:
Code:
script.php/'%20onmouseover='alert(document.cookie)'
it seemed valid what do u thing? I always used htmlspecialchar s() with ENT_QUOTES is there something better?
c)to get the current URL and put it to an href after some manipulation you would use PHP or Javascript (in order for the server not to have unecessery load)?
Comment