Warning: Undefined array key "payload" in /app/challenges/csp04.php on line 2

Deprecated: preg_replace(): Passing null to parameter #3 ($subject) of type array|string is deprecated in /app/challenges/csp04.php on line 2

Warning: Cannot modify header information - headers already sent by (output started at /app/challenges/csp04.php:2) in /app/challenges/csp04.php on line 5

Your raw payload

Warning: Undefined array key "payload" in /app/challenges/csp04.php on line 21

inject

src

<?php
$escaped = preg_replace("/[`$<>]/", "", $_GET['payload']);

$nonce = base64_encode(random_bytes(20));
header("script-src 'strict-dynamic' 'nonce-" . $nonce . "' 'unsafe-eval';");
?>

<head>
    <script src="hook.js" nonce="<?= $random2 ?>"></script>
</head>

<body>
    <script nonce="<?= $random ?>">
        window.addEventListener("load", function() {
            var input = `<?= $escaped ?>`;
            window.injectarea.innerHTML = `${input} is your payload; Could you execute a script? :-)`
        });
    </script>

    <h1>Your raw payload</h1>
    <?= $_GET['payload'] ?>

    <div id="injectarea"></div>
    <h1>inject</h1>
    <form>
        <textarea id="payload" name="payload" placeholder="your payload here"></textarea>
        <input type="submit" value="GO">
    </form>

    <h1>src</h1>
    <?php highlight_string(file_get_contents(basename(__FILE__))); ?>
</body>