Paid Advertising is
ha.ckers sla.cking
Q and A for any cross site scripting information. Feel free to ask away. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
URL decoding and php's $_SERVER['REQUEST_URI']
Posted by: BlubberBubble
Date: April 23, 2010 07:39PM

I was wondering why XSS attacks even work if the injected code is urlencoded. Why does the server decode this before reflecting? Wouldn't it be safer if the application had to do this explicitly if needed?

I noticed that php does automatic decoding when using $_GET but not when using $_SERVER[REQUEST_URI]. Does anyone know why this is the case? Are there any injection vectors against REQUEST_URI?

By the way, is automatic decoding for GET parameters specific to php?

Options: ReplyQuote
Re: URL decoding and php's $_SERVER['REQUEST_URI']
Posted by: Skyphire
Date: April 24, 2010 02:02PM

$_SERVER, as it already states comes from the server, Apache for example. The browser urlencodes it as per RFC 1738 before sending the request, because they are "unsafe" characters, rightfully so understood by those wrote that draft in 1994.

Options: ReplyQuote

Sorry, only registered users may post in this forum.