I am learning about cross-side scripting and have made a simple html page along with a php page to return the data entered
<!DOCTYPE html>
<html>
<head>
<title>Inject</title>
</head>
<body>
<form name = "MyForm" id = "MyForm" method = "POST" action = "handle.php">
<label name = "MyLabel" id = "MyLabel" for = "FirstName">First Name</label>
<input type = "text" name = "FirstName" id = "FirstName">
<input type = "submit" name = "ButtonSubmit" id = "ButtonSubmit">
</form>
</body>
</html>
<?php
$Name = $_POST['FirstName'];
echo "Injected: " .$Name;
when I enter in a script <script>alert("Injected!");</script> in google chrome, chrome takes out all the content inside the script tags. It allows html injections for example injecting <h1>Injected!</h1> into the input field.
I believe its some kind of anti xss embedded into chrome that prevents injecting script tags.
Can anyone confirm this?