Follow us on Twitter!
The important thing is not to stop questioning. - Albert Einstein
Wednesday, April 23, 2014
Navigation
Home
HellBoundHackers Main:
HellBoundHackers Find:
HellBoundHackers Information:
Learn
Communicate
Submit
Shop
Challenges
HellBoundHackers Exploit:
HellBoundHackers Programming:
HellBoundHackers Think:
HellBoundHackers Track:
HellBoundHackers Patch:
HellBoundHackers Other:
HellBoundHackers Need Help?
Other
Members Online
Total Online: 22
Guests Online: 21
Members Online: 1

Registered Members: 82885
Newest Member: ConiBE
Latest Articles
View Thread

HellBound Hackers | Computer General | Web hacking

Author

XSS filter (PHP)

Uber0n
Member



Posts: 1963
Location: Sweden‭‮
Joined: 13.06.06
Rank:
Hacker Level 3
Posted on 20-05-08 09:25
I just have a question about XSS filters, although it's not about escaping them. I've found quite many sites with forms that allow HTML tags with a length of 3 characters to pass through the filter but remove all other ones. For example, the <u>, <b> and <i> tags get through but <br>, <script>, <iframe> and <img> do not.

What PHP function are the sites using, or is it just some kind of filter that they've written themselves? It could of course be strip_tags(), but then they must've set the filter argument to accept all of the short tags (and I can't see why anyone would do that in for example a registration form or search box...)

As I said, I've seen this on quite many sites so it's not just a single system that uses this solution... Any thoughts or ideas will be much appreciated B)


img230.imageshack.us/img230/724/uber0nsig3hj6.gif
http://uber0n.web. . .

Edited by Uber0n on 20-05-08 09:25
Nope http://uber0n.webs.com/
Author

RE: XSS filter (PHP)

Mr_Cheese




Posts: 2468
Location: Brighton, UK
Joined: 30.11.04
Rank:
Uber Elite
Posted on 20-05-08 10:45
either they have they're own custom function.

or its strip_tags($string, "<br><img><p>"Wink etc


http://www.hellboundhackers.org/
Author

RE: XSS filter (PHP)

spyware
Member



Posts: 4192
Location:
Joined: 14.04.07
Rank:
God
Warn Level: 90
Posted on 20-05-08 11:03
Sounds like failed RegEx to me.



img507.imageshack.us/img507/3580/spynewsig3il1.png
"The chowner of property." - Zeph
[small]
Widespread intellectual and moral docility may be convenient for leaders in the short term,
but it is suicidal for nations in the long term.
- Carl Sagan
[center]�Since the grid is inescapable, what were the earlier lasers about? Does the corridor have a sense of humor?� - Ebert[/ce

Edited by spyware on 20-05-08 11:04
Author

RE: XSS filter (PHP)

Uber0n
Member



Posts: 1963
Location: Sweden‭‮
Joined: 13.06.06
Rank:
Hacker Level 3
Posted on 20-05-08 17:09
Mr_Cheese wrote:
or its strip_tags($string, "<br><img><p>") etc

I don't think so, since all tags I've tried have been blocked except for the shortest possible ones. I suppose it's either a custom function that many people use or a failed Regex then...

Thanks Cheese and Spyware ^^


img230.imageshack.us/img230/724/uber0nsig3hj6.gif
http://uber0n.web. . .
Nope http://uber0n.webs.com/