How to protect against this type of attack?
Be carefull with the use of $_SERVER['PHP_SELF]
You should do htmlspecialchars($_SERVER["PHP_SELF"]);
or htmlentities($_SERVER["PHP_SELF"]);
And that's a normal XSS attack.
More info: Info
I was using $_SERVER['PHP_SELF']
in an href
tag, so that's where the JavaScript was triggered.
The solution is simple. I run PHP_SELF
through a filter before using, and any passed garbage is cleaned and safe to use on the page.