|
|
Joined: Apr 2003
Posts: 15
Newbie
|
Newbie
Joined: Apr 2003
Posts: 15 |
<body woot=""onload="alert('Test'); "></body>
With HTML on, and javascript enabled on a browser, this will popup a message box. In 6.1.1 at least, and a few other forums I've tested on.
What can be done to filter this out?
|
|
|
|
Joined: Dec 2000
Posts: 1,471
Addict
|
Addict
Joined: Dec 2000
Posts: 1,471 |
Disable HTML. There are several security risks if you allow users to use html in the forums.
|
|
|
|
Joined: Nov 2001
Posts: 10,369
I type Like navaho
|
I type Like navaho
Joined: Nov 2001
Posts: 10,369 |
Yeah - really bad practice to run HTML on. The door is too "wide open" with HTML and the reason that there is UBB Code as an alternative.
|
|
|
|
Joined: Apr 2003
Posts: 15
Newbie
|
Newbie
Joined: Apr 2003
Posts: 15 |
I figured it out in case anyone else keeps HTML on and wants to disable it.
In addpost.php find this:
// -------------------------------------- // Display certain & characters correctly $PrintSubject = str_replace("&","&",$PrintSubject); $PrintBody = str_replace("&","&",$PrintBody);
and add this line right under it. $PrintBody = str_replace("<body","disabled script",$PrintBody);
|
|
|
|
Joined: Jun 2001
Posts: 3,273
That 70's Guy
|
That 70's Guy
Joined: Jun 2001
Posts: 3,273 |
You would also need to strip out javascript, I believe. Something like: <script language="javascript"> window.onload = alert("blah blah blah"); </script> Or something like that... (and I know it's not xhtml compliant) LoL
|
|
|
|
Joined: Jun 2001
Posts: 3,273
That 70's Guy
|
That 70's Guy
Joined: Jun 2001
Posts: 3,273 |
Correction.. Make that: <script language="javascript">onload=alert("Allowing HTML in posts is not a good thing!");</script> (this needs to be in a single line or .threads ads <br /> tags into the script and makes it fail)
|
|
|
Donate to UBBDev today to help aid in Operational, Server and Script Maintenance, and Development costs.
Please also see our parent organization VNC Web Services if you're in the need of a new UBB.threads Install or Upgrade, Site/Server Migrations, or Security and Coding Services.
|
|
Posts: 1,157
Joined: July 2001
|
|
Forums63
Topics37,573
Posts293,925
Members13,849
|
Most Online5,166 Sep 15th, 2019
|
|
Currently Online
Topics Created
Posts Made
Users Online
Birthdays
|
|
|
|
|