Reputation: 4911
Why doesn't this XSS work?
Possibly simple solution, but I can't understand why my attempt to run this alert script on my welcome page via XSS input on the index page doesn't work.
I have a simple index.htm page with a form:
<!DOCTYPE html>
<html>
<body>
<form method="post" action="welcome.php">
Name: <input type="text" name="name">
<input type="submit">
</form>
</body>
</html>
And the welcome.php file:
<!DOCTYPE html>
<html>
<body>
<h3> Welcome <?php echo $_POST['name']; ?> </h3>
</body>
</html>
As a visitor to the index.php page, in the Name field I attempted to enter: <script>alert("pwned")</script>
Upvotes: 3
Views: 960
Answers (1)
Reputation: 8528
This has nothing to deal with PHP itself, as most browsers has XSS auditor which will try to protect the user from know XSS attacks
Running your example would result in:
The XSS Auditor refused to execute a script in 'http://localhost:9093/welcome.php' because its source code was found within the request. The auditor was enabled as the server did not send an 'X-XSS-Protection' header.
For more information, you can check this question
Upvotes: 1
Related Questions
- Why is the following Javascript code not working?
- why is this xss not working
- Why doesn't this XSS attack work?
- why is this not xss vulnerable?
- Why doesn't this javascript script work?
- Why doesn't this javascript work in browser?
- Why won't this JS code work?
- Why isn't this javascript code working?
- Why doesn't this javascript code work?
- Why doesn't this javascript code work?