<body woot=""onload="alert('Test'); "></body>
With HTML on, and javascript enabled on a browser, this will popup a message box. In 6.1.1 at least, and a few other forums I've tested on.
What can be done to filter this out?
Disable HTML. There are several security risks if you allow users to use html in the forums.
Yeah - really bad practice to run HTML on. The door is too "wide open" with HTML and the reason that there is UBB Code as an alternative.
I figured it out in case anyone else keeps HTML on and wants to disable it.
In addpost.php find this:
// --------------------------------------
// Display certain & characters correctly
$PrintSubject = str_replace("&","&",$PrintSubject);
$PrintBody = str_replace("&","&",$PrintBody);
and add this line right under it.
$PrintBody = str_replace("<body","disabled script",$PrintBody);
You would also need to strip out javascript, I believe.
Something like:
<script language="javascript">
window.onload = alert("blah blah blah");
</script>
Or something like that... (and I know it's not xhtml compliant) LoL
Correction..
Make that:
<script language="javascript">onload=alert("Allowing HTML in posts is not a good thing!");</script>
(this needs to be in a single line or .threads ads <br /> tags into the script and makes it fail)