Is there any xss danger in this code?

D

Dmitry2022-04-06 15:14:13

PHP

Dmitry, 2022-04-06 15:14:13

I often see this form submission code on micro-sites/landing pages:

<form action="mail.php">
  <input type="text" name="name">
  <input type="text" name="phone">
  <input type="submit" value="Отправить">
</form>

//mail.php
$name  = $_POST['name'];
$phone = $_POST['phone'];

mail('[email protected]', 'subject', $name . ' ' . $phone, "MIME-Version: 1.0\r\n"."Content-type: text/html; charset=utf-8\r\n");

Is there a danger for an XSS attack or another if the form data is not displayed anywhere on the site, but only sent to the mail?

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

V

ValdikSS, 2022-04-07
@RedNet

In your example, you can embed arbitrary HTML in the body of an email. It is unlikely that any more or less serious mailer will be able to execute exactly XSS, but introducing a tracking image, inserting third-party resources, and performing arbitrary formatting is no problem.

A

Adamos, 2022-04-06
@Adamos

I don't see an attack vector. But a great opportunity to analyze the input and, instead of sending emails, shove this input back up the ass of anyone who crams scripts or links into this form - yes. "Anyone" will not keep you waiting, by the way - bots fill up any found form with their advertising sheets, without even looking at what is offered in it. At least publish the application form for voluntary euthanasia.