javascriptphphtmlhtml-injections

HTML injection: cannot insert javascript into textarea


I'm testing a page I made in PHP for HTML injections, but it's not working the way I expected.

I'm trying to insert

<div onmouseover="alert(1)" style="position:fixed;left:0;top:0;width:9999px;height:9999px;">
</div>

inside a textarea. Server-side, I just want to display $_GET with a var_dump for now but it doesn't even get to that: when I click the button it just brings me back to the homepage and #3377832596384266514 is added to the URL. I don't get any error in PHP so maybe it's a server issue (Apache 2.4).

I'm guessing some part of the stack is being defensive, like when you add javascript: to a URL and the browser gets rid of it, but I don't know where to look. I've also tried

<script>alert(foo);</script>

and other variations but then the < and some other characters are stripped.

test.php
<!doctype html>
<head>
     <meta charset="utf-8">
     <title>Test</title>
</head>
<body>
    <form method="get" action="select.php">
        <p>
            <label for="select">Words
                <textarea id="select"
                       name="select"
                       cols="50"
                       rows="1"
                       maxlength="100"
                       required
                       autofocus></textarea>
            </label>
        </p>
        <p>
            <button>Send</button>
        </p>
    </form>
</body>
</html>


select.php
<?php
    var_dump($_GET);

Edit: textarea instead of input.

Edit: added all the code.


Solution

  • Change the form method from GET to POST.

    GET is possibly causing an issue with how the server handles certain markup in the URL.

    OP verified this resolved the issue.