What is encoding characters the URL? Browser or PHP?

StackOverflow https://stackoverflow.com/questions/2371384

Question

Imagine this simple form

<form action="<?php echo $_SERVER['REQUEST_URI']; ?>" method="post">
    <fieldset>
        <legend>Contact Me</legend>
        <label for="email">Email:</label>
        <input type="text" name="email" id="email" />
        <button type="submit">Submit</button>
    </fieldset>
</form>

Now imagine it is accessed via form.php?hack=" onsubmit="alert('xss')

The output when I view source is 

<form action="/things/?hack=%22%20onsubmit=%22alert(%27xss%27)" method="post">

What is encoding this - is it the browser or PHP?

Outside of curiosity, I always echo $_SERVER['REQUEST_URI'] within htmlspecialchars().

Was it helpful?

Solution

That is done by the browsers, if you are under some PHP framework, some of them also change it. It is similar to what you do using PHP's urlencode function.

OTHER TIPS

If you enter form.php?hack=" onsubmit="alert('xss') into your address field of your browser, it converts it to form.php?hack=%22%20onsubmit=%22alert(%27xss%27) as the " and space characters are not allowed in a URI. So they must be encoded. The ' is allowed in URIs but may also be encoded.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top