On Thu, 2002-08-15 at 21:16, <-delusion-> wrote: > Jelmer's accusation that my proposed fix is flawed is wrong. He demonstrates > a code that uses the <a> tag, if you look at my solution: > > $message = strip_tags($message, '<br><b><u><i>'); > > > The <a> tag is not allowed. Only the tags <br><b><u><i> are allowed. I did > talk to Jelmer and told him my solution successfully stripped the tags from > his code, he replied with this message: > > <?php > > $myText = '<a done=false STYLE="visibility : hidden; word-spacing : > > expression( !(eval(this.done)) ? > location.href=\'http://kuperus.xs4all.nl\' > > : 0 ); word-wrap : expression(this.done=true);"> test</a>'; > > $string = strip_tags($myText, '<a><b><i><u>'); <a> > > echo $string > > > > ?> > > > > works on my php 4.06 > > He uses this string.. > $string = strip_tags($myText, '<a><b><i><u>'); <a> > Which allows the <a> tag. so therefore his code got executed when he ran it. > > it was just a mistake on Jelmer's part. If you seek a quick fix for this > vuln, just use my solution. It works.
You should keep in mind the fact that <u>, <i>, and <b> tags allow "style" attributes in them as well, meaning that the "expression" will be evaluated and run -- you have not solved the problem at all by disallowing the "<a>" tag. You should look into a more in-depth solution for filtering user input with PHP. This is the point where I blatantly push my little (ahem) script that I wrote for just these purposes. You may adapt it to your needs as you see fit (licensing issues non-withstanding). http://www.mricon.com/html/phpfilter.html Regards, -- 0> Konstantin ("Icon") Riabitsev / ) Duke University Physics Sysadmin ~ www.phy.duke.edu/~icon/pubkey.asc
signature.asc
Description: This is a digitally signed message part
