UBB.Dev
Posted By: chiefmonkey Security against onload javascripts. - 05/20/2003 10:37 PM
<body woot=""onload="alert('Test'); "></body>

With HTML on, and javascript enabled on a browser, this will popup a message box. In 6.1.1 at least, and a few other forums I've tested on.

What can be done to filter this out?
Posted By: Astaran Re: Security against onload javascripts. - 05/20/2003 10:50 PM
Disable HTML. There are several security risks if you allow users to use html in the forums.
Posted By: JoshPet Re: Security against onload javascripts. - 05/20/2003 11:07 PM
Yeah - really bad practice to run HTML on. The door is too "wide open" with HTML and the reason that there is UBB Code as an alternative.
Posted By: chiefmonkey Re: Security against onload javascripts. - 05/20/2003 11:31 PM
I figured it out in case anyone else keeps HTML on and wants to disable it.

In addpost.php find this:

// --------------------------------------
// Display certain & characters correctly
$PrintSubject = str_replace("&","&",$PrintSubject);
$PrintBody = str_replace("&","&",$PrintBody);

and add this line right under it.
$PrintBody = str_replace("<body","disabled script",$PrintBody);
Posted By: JustDave Re: Security against onload javascripts. - 05/20/2003 11:35 PM
You would also need to strip out javascript, I believe.

Something like:

<script language="javascript">
window.onload = alert("blah blah blah");
</script>


Or something like that... (and I know it's not xhtml compliant) LoL
Posted By: JustDave Re: Security against onload javascripts. - 05/20/2003 11:44 PM
Correction..

Make that:

<script language="javascript">onload=alert("Allowing HTML in posts is not a good thing!");</script>

(this needs to be in a single line or .threads ads <br /> tags into the script and makes it fail)
© UBB.Developers