14
15 <style type="text/css" media="screen">(^16) #intro{
(^17) / color is set by PHP /
(^18) color:<?php echo $color;?>;
(^19) / background is set by PHP /
(^20) background:<?php echo $background;?>;
(^21) font-family:helvetica,arial,sans-serif;
(^22) font-size:200%;
(^23) padding:10px;
(^24) }
25
26
27
Cool intro block, customizable, too!
So far, everything’s kosher, and we’re not even using inline styles! If you
save this now as test.php and call it on your server in your browser as the
URI http://example.com/test.php, you will get a text intro block that
is black on white. The $_GET[] variables come from the URI as parameters,
and because they are not set, nothing changes. If you want the colors to be
red on pink, you can do this: http://example.com/test.php?
color=red&background=pink.
But because you allow any value for the variables, an attacker could send
the following:
1 http://example.com/test.php?color=green&background=</
style>
This would effectively close the style block prematurely and add a script to
the document. In this case, all we would be doing is writing out the word