Im going to work on developing a block for the use of javascript between img tags. With the exploit now becoming more widely known I think its time to write a fix.
I know a fix is being developed for version 6.x boards but the version 5 users arent that lucky
What Id like some help on is collecting word to filter in a msg post.
Obviously things like :
Javascript
document.onload
document.cokie
Get cookie
etc ....
any others ???
Thanks
i use this filter for the IMG-Tag in my privatforums. in all other forums is no IMG allow:
[code][/code]what happen when the user post [img ]somescript.js[/ img ]?
(correct me if I'm wrong) 5.xx users don't have cookies except for private forums, so you don't have to be afraid. And private forums cookies == temporary, so just don't enter any thread in the same IE after you enter private forums.
Hi LK, I'll think you'll find 5.XX has cookies, Username and Password respectively. As it does store these fileds so when you post/reply they are automatically populated, therefore that information is coming from somewhere,has to be a cookie.
Cheers
I should never enter this forum again
Nahh no need to be like that!
We all make mistakes!
something new about this Chapter ?
I got some attacks with IMG-Code on my Forum and searching for a hotfix
What version are you running, Ive only tested my fix on version 5.47d
I can post fix details here if you like.
Regards
BassTeQ
Bass, you can't fix it by adding many stuff to block list, it's much more complicated. You'll have to make sure img and url tags don't include ", don't begin with javascript, etc, without forgetting that "javascript" can be written with stuff
Hi, if i test your example with this code below it doesnt seem to print the message that its Not permitted.
[/code]If however I pass it a proper IMG path then all works ok
[code]
Any ideas?