26 lines
703 B
PHP
26 lines
703 B
PHP
|
<?php
|
||
|
|
||
|
$headerCSP = "Content-Security-Policy: script-src 'self' 'unsafe-inline' 'nonce-TmV2ZXIgZ29pbmcgdG8gZ2l2ZSB5b3UgdXA=';";
|
||
|
|
||
|
header($headerCSP);
|
||
|
|
||
|
// Disable XSS protections so that inline alert boxes will work
|
||
|
header ("X-XSS-Protection: 0");
|
||
|
|
||
|
# <script nonce="TmV2ZXIgZ29pbmcgdG8gZ2l2ZSB5b3UgdXA=">alert(1)</script>
|
||
|
|
||
|
?>
|
||
|
<?php
|
||
|
if (isset ($_POST['include'])) {
|
||
|
$page[ 'body' ] .= "
|
||
|
" . $_POST['include'] . "
|
||
|
";
|
||
|
}
|
||
|
$page[ 'body' ] .= '
|
||
|
<form name="csp" method="POST">
|
||
|
<p>Whatever you enter here gets dropped directly into the page, see if you can get an alert box to pop up.</p>
|
||
|
<input size="50" type="text" name="include" value="" id="include" />
|
||
|
<input type="submit" value="Include" />
|
||
|
</form>
|
||
|
';
|