ryuone · June 11, 2017 14:26
diff --git a/xss.php b/xss.php
 <?php
 // https://www.w3.org/TR/CSP2/
 //header("Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'");
 //header("Content-Security-Policy: default-src 'self'; script-src 'self'");
 //header("Content-Security-Policy: script-src 'self' 'unsafe-inline'");
 header("Content-Security-Policy: default-src 'none'; base-uri 'self'; child-src 'self'; form-action 'self'; script-src 'self' 'unsafe-inline'");

 /* Post HTML data.
 <input type='button' onClick='console.log("");' value='name'/>
 <a onClick='console.log("clicked....");' value='name'/>Click me</a>
 */
 //header('X-XSS-Protection: 0');
 //header('X-XSS-Protection: 1');
 header('X-XSS-Protection: 1; mode=block');
 ?>
 <!DOCTYPE html>
 <html lang="ja">
 <head>
    <meta charset="UTF-8">
    <title>Title</title>
 </head>
 <body>

 <form method="post" action="./xss.php">
    <textarea name="textarea1" id="" cols="30" rows="10" onClick="console.log('onClicked...');" onKeydown="console.log('hello');"></textarea>
    <input type="submit" value="送信する">

    <input type='button' onClick='console.log("");' value='name'/>
    <select onChange="console.log('onChanged...');" onClick="console.log('select onClicked...')">
      <option value=1>1
      <option value=2 selected>2
      <option value=3>3
    </select>

    <div>
      <pre>
 <?php
 //print_r($_POST);
 //echo($_POST['textarea1']);
 //echo('<textarea name="textarea1" id="" cols="30" rows="10" onKeydown="console.log(\'hello\');"></textarea>');
 ?>
      </pre>
    </div>
 </form>

 </body>
 </html>
	<?php
	// https://www.w3.org/TR/CSP2/
	//header("Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'");
	//header("Content-Security-Policy: default-src 'self'; script-src 'self'");
	//header("Content-Security-Policy: script-src 'self' 'unsafe-inline'");
	header("Content-Security-Policy: default-src 'none'; base-uri 'self'; child-src 'self'; form-action 'self'; script-src 'self' 'unsafe-inline'");

	/* Post HTML data.
	<input type='button' onClick='console.log("");' value='name'/>
	<a onClick='console.log("clicked....");' value='name'/>Click me</a>
	*/
	//header('X-XSS-Protection: 0');
	//header('X-XSS-Protection: 1');
	header('X-XSS-Protection: 1; mode=block');
	?>
	<!DOCTYPE html>
	<html lang="ja">
	<head>
	<meta charset="UTF-8">
	<title>Title</title>
	</head>
	<body>

	<form method="post" action="./xss.php">
	<textarea name="textarea1" id="" cols="30" rows="10" onClick="console.log('onClicked...');" onKeydown="console.log('hello');"></textarea>
	<input type="submit" value="送信する">

	<input type='button' onClick='console.log("");' value='name'/>
	<select onChange="console.log('onChanged...');" onClick="console.log('select onClicked...')">
	<option value=1>1
	<option value=2 selected>2
	<option value=3>3
	</select>

	<div>
	<pre>
	<?php
	//print_r($_POST);
	//echo($_POST['textarea1']);
	//echo('<textarea name="textarea1" id="" cols="30" rows="10" onKeydown="console.log(\'hello\');"></textarea>');
	?>
	</pre>
	</div>
	</form>

	</body>
	</html>