xss problems sloved over lol

Collapse
X
Collapse
 
  • Page of 1
  • Filter
  • Time
  • Show
Clear All
new posts
Previous template Next
    #1

    xss problems sloved over lol

    type 1

    Code:
    if(preg_match("(<|>|%|;|<a|<img|<script|<script>|")", $text)) 
{  
$text = "Illegal tags used!";  
}
    type 2

    Code:
    function xss($text,$subject,$action)
{
// Bad Message board 
                                                  $text = str_replace("%","&#37;",$text);
                                                  $text = str_replace(">","&#62;",$text);
                                                  $text = str_replace("<","&#60;",$text);
                                                  $text = str_replace("@","&#64;",$text);
                                                  $text = str_replace("£","&#163;",$text);
                                                  $text = str_replace("$","&#36;",$text);
                                                  $text = str_replace("#","&#35;",$text);
                                                  $text = str_replace("'","&#39;",$text);
                                                  $text = str_replace(",","&#44;",$text);
                                                  $text = str_replace("-","&#45;",$text);
                                                  $text = str_replace("^","&#94;",$text);
                                                  $text = str_replace("`","&#96;",$text);
                                                  $text = str_replace("{","&#123;",$text);
                                                  $text = str_replace("}","&#125;",$text);
                                                  $text = str_replace("®","&#174;",$text);
                                                  $text = str_replace("©","&#169;",$text);
                                                  $text = str_replace("§","&#167;",$text);
                                                  $text = str_replace("¨","&#168;",$text);
return html_entity_decode($text);
// Bad SubJect
                                                  $subject = str_replace("%","&#37;",$subject);
                                                  $subject = str_replace(">","&#62;",$subject);
                                                  $subject = str_replace("<","&#60;",$subject);
                                                  $subject = str_replace("@","&#64;",$subject);
                                                  $subject = str_replace("£","&#163;",$subject);
                                                  $subject = str_replace("$","&#36;",$subject);
                                                  $subject = str_replace("#","&#35;",$subject);
                                                  $subject = str_replace("'","&#39;",$subject);
                                                  $subject = str_replace(",","&#44;",$subject);
                                                  $subject = str_replace("-","&#45;",$subject);
                                                  $subject = str_replace("^","&#94;",$subject);
                                                  $subject = str_replace("`","&#96;",$subject);
                                                  $subject = str_replace("{","&#123;",$subject);
                                                  $subject = str_replace("}","&#125;",$subject);
                                                  $subject = str_replace("®","&#174;",$subject);
                                                  $subject = str_replace("©","&#169;",$subject);
                                                  $subject = str_replace("§","&#167;",$subject);
                                                  $subject = str_replace("¨","&#168;",$subject);
return html_entity_decode($subject);
// Bad Action 
                                                  $action = str_replace("%","&#37;",$action);
                                                  $action = str_replace(">","&#62;",$action);
                                                  $action = str_replace("<","&#60;",$action);
                                                  $action = str_replace("@","&#64;",$action);
                                                  $action = str_replace("£","&#163;",$action);
                                                  $action = str_replace("$","&#36;",$action);
                                                  $action = str_replace("#","&#35;",$action);
                                                  $action = str_replace("'","&#39;",$action);
                                                  $action = str_replace(",","&#44;",$action);
                                                  $action = str_replace("-","&#45;",$action);
                                                  $action = str_replace("^","&#94;",$action);
                                                  $action = str_replace("`","&#96;",$action);
                                                  $action = str_replace("{","&#123;",$action);
                                                  $action = str_replace("}","&#125;",$action);
                                                  $action = str_replace("®","&#174;",$action);
                                                  $action = str_replace("©","&#169;",$action);
                                                  $action = str_replace("§","&#167;",$action);
                                                  $action = str_replace("¨","&#168;",$action);
return html_entity_decode($action);
}
    Usage !

    Code:
    echo xss('$_POST[text]','$_POST[subject]','$_GET[action]');
    Visit: Chat4u.mobi - The New Lay Of being a site of your dreams!
    Visit: WapMasterz Coming Back Soon!
    _______
    SCRIPTS FOR SALE BY SUBZERO
    Chat4u Script : coding-talk.com/f28/chat4u-mobi-script-only-150-a-17677/ - > Best Script for your site no other can be hacked by sql or uploaders.
    FileShare Script : coding-talk.com/f28/file-wap-share-6596/ -> Uploader you will never regret buying yeah it mite be old now but it still seems to own others...
    _______
    Info & Tips
    php.net
    w3schools.com
    Tags: None
    #2
    U know using preg match is misguided coding. Could help u temporarily bt if the ha.ckers.org cheatsheet is anyfin to go by, u nid a stronger library. Theres htmlpurifier bt thats 2 slow, theres htmlawed, ur best bet. Theres also wibble, 2nd best bet.

    Comment

      #3
      Well it helps out others
      Visit: Chat4u.mobi - The New Lay Of being a site of your dreams!
      Visit: WapMasterz Coming Back Soon!
      _______
      SCRIPTS FOR SALE BY SUBZERO
      Chat4u Script : coding-talk.com/f28/chat4u-mobi-script-only-150-a-17677/ - > Best Script for your site no other can be hacked by sql or uploaders.
      FileShare Script : coding-talk.com/f28/file-wap-share-6596/ -> Uploader you will never regret buying yeah it mite be old now but it still seems to own others...
      _______
      Info & Tips
      php.net
      w3schools.com

      Comment

        #4
        It may Helps. Use It on .htaccess

        PHP Code:
        RewriteCond %{REQUEST_URI}?%{QUERY_STRING} (.*)chmod(.*) [OR]
        RewriteCond %{REQUEST_URI}?%{QUERY_STRING} (.*)chown(.*) [OR]
        RewriteCond %{REQUEST_URI}?%{QUERY_STRING} (.*)wget(.*) [OR]
        RewriteCond %{REQUEST_URI}?%{QUERY_STRING} (.*)cmd(.*) [OR]
        RewriteCond %{REQUEST_URI}?%{QUERY_STRING} (.*)cd%20(.*) [OR]
        RewriteCond %{REQUEST_URI}?%{QUERY_STRING} (.*)scp(.*) [OR]
        RewriteCond %{REQUEST_URI}?%{QUERY_STRING} (.*)curl(.*) [OR] 
        Before this You should add (If already not added)
        PHP Code:
        RewriteEngine On
        RewriteBase 

        Comment

          #5
          strip_tags and htmlspecialchars is enough to block xss.

          Comment

            #6
            Mod rewrite are g0od

            Added after 2 minutes:

            I saw that c0de on dmpwap script haha. Its w0rking. strip_tags and htmlspecialchar is n0t enough
            Last edited by Jerson; 24.08.10, 08:57.

            Comment

              #7
              tnx

              tnxsubzero


              http://www.toinx.org

              Comment

                #8
                pagal is right xD simple htmlspecialchars will do, no need str_replace, its for noobs
                Last edited by wapxtech; 03.11.10, 00:18.

                http://wapx.amob.com
                Applications, Games, Wallpapers, Ringtones, Videos, Themes, Screensaver and More!!!

                Comment

                  #9
                  This does not mean your site will be 100% safe if your using htmlspecialchars !!

                  Most of your coding can easy bypass your htmlspecialchars('input');

                  Doing this str_replace does let you use (!@($!@(!@&*#(@!)* with html friendly code so users can still use chapters if your forum ! Most htmlspecialchars don't do all chapters right way !!
                  Visit: Chat4u.mobi - The New Lay Of being a site of your dreams!
                  Visit: WapMasterz Coming Back Soon!
                  _______
                  SCRIPTS FOR SALE BY SUBZERO
                  Chat4u Script : coding-talk.com/f28/chat4u-mobi-script-only-150-a-17677/ - > Best Script for your site no other can be hacked by sql or uploaders.
                  FileShare Script : coding-talk.com/f28/file-wap-share-6596/ -> Uploader you will never regret buying yeah it mite be old now but it still seems to own others...
                  _______
                  Info & Tips
                  php.net
                  w3schools.com

                  Comment

                  Previous template Next
                  Working...
                  X