Reflected Cross-Site Scripting (XSS) in /admin/Add notice/batch-notice.php via $_SERVER['PHP_SELF']

### Reflected Cross-Site Scripting (XSS) in /admin/Add notice/batch-notice.php via $_SERVER['PHP_SELF']

**Describe the bug**  
A reflected Cross-Site Scripting (XSS) vulnerability exists in `/admin/Add notice/batch-notice.php` at line 190. The script uses the unsanitized `$_SERVER['PHP_SELF']` variable as the form action attribute, allowing an attacker to inject arbitrary JavaScript code through a crafted URL.

**Steps to reproduce**  
1. Log in to the admin panel using the preset admin account (username: `admin`, password: `admin123`).  
2. Access the following crafted URL in a browser (the vulnerable page is only accessible after login):  

http://127.0.0.1:3000/admin/Add%20notice/batch-notice.php/%22%3E%3Cscript%3Ealert('XSS_POC')%3C/script%3E

3. The browser will execute the injected JavaScript and display an alert box with the text `XSS_POC`, confirming the vulnerability.

The malicious code can be replaced with more harmful scripts (e.g., to steal cookies, perform phishing, or hijack the admin session).

**Describe the solution**  
To fix this vulnerability, the `action` attribute should not directly output user-controllable input. Instead, use a hardcoded relative URL or properly sanitize the output.

Recommended fix:  
- Replace `<?php echo $_SERVER['PHP_SELF']; ?>` with a static value, such as `""` (post to same page) or `"batch-notice.php"`.  
- If dynamic values are necessary, use `htmlspecialchars()` to encode output:  
`<?php echo htmlspecialchars($_SERVER['PHP_SELF'], ENT_QUOTES, 'UTF-8'); ?>`

Screenshots
![](https://pic1.imgdb.cn/item/69ba549498447adc3518b3be.png)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Reflected Cross-Site Scripting (XSS) in /admin/Add notice/batch-notice.php via $_SERVER['PHP_SELF'] #238