I read all the posts regarding PHP_SELF and htmlspecialchars and I did according to it. But I am not sure whether the behaviour of my website is correct or not.
Below is my code.
<form action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]); ?>" method="post" id="enquiryform" name="enquiryform">
When I type url as http://mydomain.com/enquiry.php?alert('hacked'), it works fine.
But when I type
http://mydomain.com/enquiry.php/<script>alert('hacked')</script>
or
http://mydomain.com/enquiry.php/%22%3E%3Cscript%3Ealert('hacked')%3C/script%3E
It displays page without any css. But it does not show any alert box in any case (even if I dont use htmlSpecialchars).
I am confused what is happening here.
Thanks in advance for helping.
Your current implementation is correct. If you don't use htmlspecialchars, you're susceptible to this potential scenario:
http://mydomain.com/enquiry.php/"><script>alert('hacked')</script>
All you're missing in your scenario is the "> to break out of the current tag.
What htmlspecialchars does is escape the potentially-malicious string so that it cannot be interpreted as raw HTML.