How to launch XSS if routing use $_SERVER["REQUEST_URI" and explode "/"

Question

What I mean:

http://kjventura.com/2011/11/make-pretty-urls-with-php-url-routing/

I use this system on my site (development stage). With urls like:

site.com/tag/lorem

as example I have output "lorem" into h1 tag on the webpage.

But how launch simple alert() with this URl scheme? I dont escape anything (deliberately)

Answer 1

Since $_SERVER['REQUEST_URI'] contains the unchanged URI as it appeared in the request line, the characters that can get passed depend on what characters are allowed in a URI path, more precisely in a path segment:

segment       = *pchar
pchar         = unreserved / pct-encoded / sub-delims / ":" / "@"

Where pct-encoded is a percent-encoded octet, and unreserved as well as sub-delims are defined as follows:

unreserved  = ALPHA / DIGIT / "-" / "." / "_" / "~"
sub-delims  = "!" / "$" / "&" / "'" / "(" / ")"
            / "*" / "+" / "," / ";" / "="

These allowed characters are not sufficient for a Cross-Site Scripting attack when the injection occurs in the content of an HTML element like in your case a <h1>…</h1>. You would at least need a < to be able to create a start-tag.

However, if you would decode the percent-encoded octets, any character could be passed.