0

When I try to enter 

<script type="text/javascript" >
alert("hello");
</script>

in the comment box on my PHP page I do not get an alert box. I see the script in my text file, not on the webpage. For some reason the <script> isn't executing. I have active scripting and javascript enabled on all my browsers.

My PHP code:

<?php //CFPcomments.php

include_once 'CFPheader.php';




if (isset($_POST['content']))
{
    $fp = fopen('comments.txt', 'a');
    fwrite($fp, $_POST['content'] . "<br />");
    fclose($fp);
}

echo nl2br(file_get_contents('comments.txt'));





echo <<<_END
<h3>Post comment</h3>
<form action='CFPcomments.php' method='post'>
<textarea name='content' rows ='3' cols='100'></textarea>
<br/>
<input type='submit' value='Post' />
</form>
_END;
?>

Strange. I got it to work, not sure why.

    <!DOCTYPE html>
<html>
<head>
    <title></title>
    <script type="text/javascript">
        alert("hello");
    </script>
</head>
<body>

</body>
</html>

When I type this in it seems to work

Anyone have any idea why???? Very confused.

Improve this question
19
  • Do you include jquery.js file ???? Commented Apr 16, 2014 at 4:29
  • 8
    @AmolNavsupe Do you think window.alert is part of jQuery? Commented Apr 16, 2014 at 4:30
  • $(window).load(function() { alert("window load occurred!"); }); Commented Apr 16, 2014 at 4:30
  • 3
    jquery isn't being used here. Just vanilla javascript. Commented Apr 16, 2014 at 4:33
  • 1
    @winner You may want to do some reading on XSS if you haven't already. Allowing comments to contain Javascript makes you immediately vulnerable to that kind of attack. Depending on the use case you may be okay with that. Commented Apr 16, 2014 at 4:35

2 Answers 2

Reset to default
4

your nl2br() is most likely translating

<script type="text/javascript" >
alert("hello");
</script>

to

<script type="text/javascript" ><br/>
alert("hello");<br/>
</script><br/>

and breaking the JavaScript code.

Improve this answer
Sign up to request clarification or add additional context in comments.

7 Comments

why do you think so, script tag is in nl2br()
breaking is a harsh word, I would say enhancing it to a point where it no longer serves its original purpose
@c-link if the intention is to echo the <script> tag unmodified, then nl2br() will be modifying it.
What does your browsers source indicate?
Ah yes, it is adding the <br/> tags
|
0

I assigned a variable to the content, then displayed the variable in the PHP code. Now it works.

<?php //CFPcomments.php

include_once 'CFPheader.php';


setcookie("username", $GLOBALS['user'], time()+3600);
setcookie("password", $GLOBALS['pass'], time()+3600);
if (isset($_POST['content']))
{
    $fp = fopen('comments.txt', 'a');
    fwrite($fp, $_POST['content'] . "<br />");
    fclose($fp);
}

$comment =  file_get_contents('comments.txt');





echo <<<_END
<h3>Post comment</h3>
'$comment'
<form action='CFPcomments.php' method='post'>
<textarea name='content' rows ='3' cols='100'></textarea>
<br/>
<input type='submit' value='Post' />
</form>
_END;
?>
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.