Reflected Cross-Site Scripting (XSS) in /admin/Add notice/notice.php via $_SERVER['PHP_SELF']

### Reflected Cross-Site Scripting (XSS) in /admin/Add notice/notice.php via $_SERVER['PHP_SELF']

**Describe the bug**
A reflected Cross-Site Scripting (XSS) vulnerability exists in `/admin/Add notice/notice.php` at line 128. The script uses the unsanitized `$_SERVER['PHP_SELF']` variable as the form action attribute, allowing an attacker to inject arbitrary JavaScript code through a crafted URL.

**Steps to reproduce**
1. Log in to the admin panel using the preset admin account (username: `admin`, password: `admin123`).
2. Access the following crafted URL in a browser (the vulnerable page is only accessible after login):

http://127.0.0.1:3000/admin/Add%20notice/notice.php/%22%3E%3Cscript%3Ealert('XSS')%3C/script%3E

3. The browser will execute the injected JavaScript and display an alert box with the text `XSS`, confirming the vulnerability.

The malicious code can be replaced with more harmful scripts (e.g., to steal cookies, perform phishing, or hijack the admin session).

**Describe the solution**
To fix this vulnerability, the `action` attribute should not directly output user-controllable input. Instead, use a hardcoded relative URL or properly sanitize the output.

Recommended fix:
- Replace `<?php echo $_SERVER['PHP_SELF']; ?>` with a static value, such as `""` (post to same page) or `"notice.php"`.
- If dynamic values are necessary, use `htmlspecialchars()` to encode output:  
`<?php echo htmlspecialchars($_SERVER['PHP_SELF'], ENT_QUOTES, 'UTF-8'); ?>`

**Screenshots**
![XSS payload demonstration](https://pic1.imgdb.cn/item/69ba4bbc98447adc35188e43.png)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Reflected Cross-Site Scripting (XSS) in /admin/Add notice/notice.php via $_SERVER['PHP_SELF'] #237