I have a form in which users enter a web template and they can view it in their browser.
This page is viewable only:
<?php
echo "<title>".htmlspecialchars($_POST['title'], ENT_QUOTES)."</title><br/>";
echo nl2br($_POST['body']);
?>
I realized when I tested this so that it could access my local css / js files. This made me wonder if this could lead to a security attack.
Website cookies have a domain flag and an httponly flag. If a client tried to use XSS, would they only use rights?
Is echo $ _POST safe for my web server?
source
share