[pLog-svn] r6754 - plugins/branches/lifetype-1.2/submissions/class/action

Matt Wood matt at woodzy.com
Thu Dec 4 17:18:22 EST 2008 

Don't allow on(anything)? ModSecurity has an "xss" monster regex...
blacklisting is always error prone.

On Thu, Dec 4, 2008 at 5:14 PM, Jon Daley <plogworld at jon.limedaley.com>wrote:

>        Thanks.  is there a better way to fix it than simply adding every
> tag we can think of, which I assume is always out-of-date, not exhaustive?
>
>
> On Thu, 4 Dec 2008, Matt Wood wrote:
>
>  filterjavascript doesn't filter all javascript... here is one example i
>> noticed looking @ svn.
>> <img src=dne onerror=alert(0) />
>>
>> On Thu, Dec 4, 2008 at 4:21 PM, <jondaley at devel.lifetype.net> wrote:
>>      Author: jondaley
>>      Date: 2008-12-04 16:21:57 -0500 (Thu, 04 Dec 2008)
>>      New Revision: 6754
>>
>>      Modified:
>>
>> plugins/branches/lifetype-1.2/submissions/class/action/addsubmissionaction.class.php
>>      Log:
>>      have to allow HTML whether the tinymce editor is enabled or not.  At
>> least filter javascript
>>
>>      Modified:
>> plugins/branches/lifetype-1.2/submissions/class/action/addsubmissionaction.class.php
>>      ===================================================================
>>      ---
>> plugins/branches/lifetype-1.2/submissions/class/action/addsubmissionaction.class.php
>>        2008-12-04
>>      21:16:19 UTC (rev 6753)
>>      +++
>> plugins/branches/lifetype-1.2/submissions/class/action/addsubmissionaction.class.php
>>        2008-12-04
>>      21:21:57 UTC (rev 6754)
>>      @@ -70,15 +70,15 @@
>>
>>                  $this->_text = "";
>>                  $text = $this->_request->getValue( "submissionText" );
>>      -                       $config =& Config::getConfig();
>>      -            $htmlEnabled =
>> $config->getValue("plugin_submissions_htmlarea_enabled");
>>      -            $val2 = new StringValidator($htmlEnabled);
>>      +            $val2 = new StringValidator(true);
>>                  if( !$val2->validate( $text )) {
>>                      $errors["submissionText"] = true;
>>                      $message["submissionText"] =
>> $this->_locale->tr("error_submission_no_text");
>>                  }
>>                  else{
>>      -                $this->_text = $text;
>>      +                    // is this too much?  Maybe just remove
>> javascript?
>>      +//                $this->_text = Textfilter::filterHtml($text);
>>      +                $this->_text = Textfilter::filterJavaScript($text);
>>                  }
>>
>>                  $this->_categoryIds = "";
>>
>>      _______________________________________________
>>      pLog-svn mailing list
>>      pLog-svn at devel.lifetype.net
>>      http://limedaley.com/mailman/listinfo/plog-svn
>>
>>
>>
>>
>>
> --
> Jon Daley
> http://jon.limedaley.com
> ~~
> Lady: One who makes a man behave like a gentleman.
> -- Jimmy Lyons
> _______________________________________________
> pLog-svn mailing list
> pLog-svn at devel.lifetype.net
> http://limedaley.com/mailman/listinfo/plog-svn
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://limedaley.com/pipermail/plog-svn/attachments/20081204/3d162a24/attachment-0001.htm>

More information about the pLog-svn mailing list