Don't allow on(anything)? ModSecurity has an "xss" monster regex... blacklisting is always error prone.<br><br><div class="gmail_quote">On Thu, Dec 4, 2008 at 5:14 PM, Jon Daley <span dir="ltr"><<a href="mailto:plogworld@jon.limedaley.com">plogworld@jon.limedaley.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;"> Thanks. is there a better way to fix it than simply adding every tag we can think of, which I assume is always out-of-date, not exhaustive?<div>
<div></div><div class="Wj3C7c"><br>
<br>
On Thu, 4 Dec 2008, Matt Wood wrote:<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
filterjavascript doesn't filter all javascript... here is one example i noticed looking @ svn.<br>
<img src=dne onerror=alert(0) /><br>
<br>
On Thu, Dec 4, 2008 at 4:21 PM, <<a href="mailto:jondaley@devel.lifetype.net" target="_blank">jondaley@devel.lifetype.net</a>> wrote:<br>
Author: jondaley<br>
Date: 2008-12-04 16:21:57 -0500 (Thu, 04 Dec 2008)<br>
New Revision: 6754<br>
<br>
Modified:<br>
plugins/branches/lifetype-1.2/submissions/class/action/addsubmissionaction.class.php<br>
Log:<br>
have to allow HTML whether the tinymce editor is enabled or not. At least filter javascript<br>
<br>
Modified: plugins/branches/lifetype-1.2/submissions/class/action/addsubmissionaction.class.php<br>
===================================================================<br>
--- plugins/branches/lifetype-1.2/submissions/class/action/addsubmissionaction.class.php 2008-12-04<br>
21:16:19 UTC (rev 6753)<br>
+++ plugins/branches/lifetype-1.2/submissions/class/action/addsubmissionaction.class.php 2008-12-04<br>
21:21:57 UTC (rev 6754)<br>
@@ -70,15 +70,15 @@<br>
<br>
$this->_text = "";<br>
$text = $this->_request->getValue( "submissionText" );<br>
- $config =& Config::getConfig();<br>
- $htmlEnabled = $config->getValue("plugin_submissions_htmlarea_enabled");<br>
- $val2 = new StringValidator($htmlEnabled);<br>
+ $val2 = new StringValidator(true);<br>
if( !$val2->validate( $text )) {<br>
$errors["submissionText"] = true;<br>
$message["submissionText"] = $this->_locale->tr("error_submission_no_text");<br>
}<br>
else{<br>
- $this->_text = $text;<br>
+ // is this too much? Maybe just remove javascript?<br>
+// $this->_text = Textfilter::filterHtml($text);<br>
+ $this->_text = Textfilter::filterJavaScript($text);<br>
}<br>
<br>
$this->_categoryIds = "";<br>
<br>
_______________________________________________<br>
pLog-svn mailing list<br>
<a href="mailto:pLog-svn@devel.lifetype.net" target="_blank">pLog-svn@devel.lifetype.net</a><br>
<a href="http://limedaley.com/mailman/listinfo/plog-svn" target="_blank">http://limedaley.com/mailman/listinfo/plog-svn</a><br>
<br>
<br>
<br>
<br>
</blockquote>
<br></div></div><font color="#888888">
-- <br>
Jon Daley<br>
<a href="http://jon.limedaley.com" target="_blank">http://jon.limedaley.com</a><br>
~~<br>
Lady: One who makes a man behave like a gentleman.<br>
-- Jimmy Lyons</font><br>_______________________________________________<br>
pLog-svn mailing list<br>
<a href="mailto:pLog-svn@devel.lifetype.net">pLog-svn@devel.lifetype.net</a><br>
<a href="http://limedaley.com/mailman/listinfo/plog-svn" target="_blank">http://limedaley.com/mailman/listinfo/plog-svn</a><br></blockquote></div><br>