With all of the security issues to worry about out there, XSS (Cross-site scripting) is one of the worst to deal with. Not only is it one of the tougher to combat, it can also be one of the most deadly. In this new post from Sean Coates on his blog, he talks about something to watch out for.

A predominant PHP developer (whose name I didn't get permission to drop, so I won't, but many of you know who I mean) has been doing a bunch of research related to Cross Site Scripting (XSS), lately. It's really opened opened my eyes to how much I take user input for granted.

Don't get me wrong. I write by the "never trust users" mantra. The issue, in this case, is something abusable that completely slipped under my radar.

The issue he was made aware of is exploits that are made possible via the filename of the script. The issue is that $_SERVER['PHP_SELF'] can contain extra data (such as when using extra parameters after the script name, separated with slashes). When not handled correctly, that extra data could result in information being pulled from/inputted into your site, opening a pretty scary hole.