I’ve been writing a new form hijacker. Since this one is a pretty big deal for me, I wanted to make sure it was properly implemented. I implemented against my interpretation of the HTML 4 specification and did a pretty good job since I’m exactly compatible with Firefox, Opera, and Internet Explorer 8. Safari, Internet Explorer 6, and Internet Explorer 7 seem to have some bugs.
Safari seems to send the values of un
selects, despite these elements being invalid. So, you may get a query string like text1=test&=selval if your
select that contained an
option="selval" doesn’t have a
Internet Explorer 6 and 7 both mishandle
buttons. Internet Explorer 6 sends all
name attributes set, even though it should only send the
button if it was clicked. Internet Explorer 7 doesn’t send unclicked
buttons, but any time Internet Explorer 6 or 7 sends a
button it sends the
innerHTML instead of the value.
So, given the deficiencies above, here’s how to compensate. If you’re using PHP, you don’t need to worry about Safari sending
selects as PHP seems to ignore them (or at least in
parse_str). If you plan to use
buttons, never give them names or values. Use
radio controls if you have to do conditional actions based on what the user clicks.
I still have some other testing to do, but these findings should help you cover your bases if you’re working with forms.