To simplify the example, here’s the following code: The page has a form:
<form id='send'action ='../lib/getpage.php'method='post'target ='getpage'>
     <input id='url'name ='url'type='text'value =''>
</form>

Which transmits a file getpage.php to the frame:
<iframe id='getpage'name ='getpage'src='class ='​​autoHeight'frameborder='0'scrolling ='auto'></iframe>

The getpage.php file itself displays the page body:
<?
       $url=$_POST['url'];
       $page=file_get_html($url);
       echo $page;
?>


If the remote page contains XSS code, will it affect my site and, if so, how to get rid of it?
  • It is necessary that the loaded page in the frame remains operable, i.e.that the browser can display it normally. – Grieving Gnat Dec 17 '11 at 05:15

1 Answers 1

and if just before the output in getpage.php cut all possible xss in $page?
  • can you give me an example or an example of a ready-made library that will not spoil the output html headers? That is, such a page processing is necessary that will leave the page operational(head->script can be deleted). – Grieving Gnat Dec 15 '11 at 08:02