Is $_SERVER['QUERY_STRING'] safe from XSS?

Question

I need to construct a form who's action takes you back to the exact same page - GET parameters included. I'm thinking I can say something to the effect of:

echo '<form action="'.$_SERVER['SCRIPT_NAME'].'?'.$_SERVER['QUERY_STRING'].
     '" method="post">'

This seems to work, and testing passing a couple XSS attacks seems to be successful, as the output of QUERY_STRING seems to be URL encoded. However the PHP documentation does not mention this, so I'm not confident I can trust this behavior.

Is it safe to use QUERY_STRING the way I am above? If not, what can I do instead? References to documentation would be appreciated.

Update switched to SCRIPT_NAME, just mixed up which one was ok and which was bad in my head, thanks for catching me. action="" does resolve my specific issue nicely, but I'm still curious if QUERY_STRING is pre-processed so it is safe to use or not, since there are other times you might want to re-use the query string, assuming it's safe to do so.

Answer 1

You should never trust $_SERVER['QUERY_STRING'] as it can be used for XSS attacks.

In your case, one could exploit the vulnerability with:

http://your.server.com/your_script.php?"><script>alert(111);</script>

Note that the code above works on IE; FireFox and Chrome efficiently encode the query string before sending it to the web server.

I would always wrap it with htmlentities (mind the double_encode parameter) as with every user input.

Good luck!

Answer 2

If it's exploitable by XSS, first you need to know which attack. In the code posted here there is just one simple attack using the PHP_SELF.

But, to avoid any problem you could just leave the form action in blank. This will send the form to the same page including the query string.