In addition to form posts, information passed on the URL (form method=get or via hyperlinks) can be dangerous.
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta name="author" content="Roderick Divilbiss">
<meta name="copyright" content="? 2005 Roderick Divilbiss">
</head>
<body>
<%=request.form("input1")%>
<form name="frm" action="example.asp" method="post">
<input type="text" size="40" name="input1" value="<script>alert('XSS Succeeded')</script>">
<input type="submit" name="submit" value="Submit">
</form>
</body>
</html>
© Coyright 2000-2008, Roderick (Rod) W. Divilbiss. Some rights reserved.
Except where otherwise noted, this site, all content, and all source code and markup is licensed under a Creative Commons License
Creative Commons License.
No part of this web site including all application code and examples may be used for commercial purposes without prior written permission from the author,
Roderick W. Divilbiss of Overland Park, Kansas, United States of America.
