Delivery Coach for Teams, agility coach and mentor
Published
Thank you for pointing this out. I have just run an automated find/replace across my custom content management system (which i use for over 20 clients) and replaced every instance of $_SERVER[‘PHP_SELF’] with htmlspecialchars($_SERVER[‘PHP_SELF’])
Thus-far in my preliminary testing this does not seem to have broken anything…though it replaced 237 instances of this (on just my installation…so multiply that my all the installs i have out there and this was a pretty gaping issue). Not all my references to this were in form submissions…most are on page redirects…but it seems to me that the same rule would apply there, so glad to replace it everywhere. There is plenty of testing still to go, but all looks good thusfar 🙂
Thanks for helping to secure my website and that of anyone else reading your blog.
Thank you for pointing this out. I have just run an automated find/replace across my custom content management system (which i use for over 20 clients) and replaced every instance of $_SERVER[‘PHP_SELF’] with htmlspecialchars($_SERVER[‘PHP_SELF’])
Thus-far in my preliminary testing this does not seem to have broken anything…though it replaced 237 instances of this (on just my installation…so multiply that my all the installs i have out there and this was a pretty gaping issue). Not all my references to this were in form submissions…most are on page redirects…but it seems to me that the same rule would apply there, so glad to replace it everywhere. There is plenty of testing still to go, but all looks good thusfar 🙂
Thanks for helping to secure my website and that of anyone else reading your blog.