PHP Security Issue!
Posted: Sat Jun 14, 2008 1:56 pm
We have a website that allows our users to add html to their profile's and such until some person thought they were real funny and posting this:
<iframe src=http://lancxeon.com/jack****.html</iframe>
On their profile, in return this contained Javascript on that remote page that acted on our site and our users in a bad way.
The link above no longer contains the bad code and is resolved. We would really like to know how to sensor out words/html tags that can cause XSS that our system does not normally detect as bad. Here is a snip lit of our user_class file:
I have read ALOT on the php page on usage of htmlspecialchars and str_replace, but nothing will truly get rid of the code from being used, or at least being html-safe.
Any help I would greatly appreciate it!
<iframe src=http://lancxeon.com/jack****.html</iframe>
On their profile, in return this contained Javascript on that remote page that acted on our site and our users in a bad way.
The link above no longer contains the bad code and is resolved. We would really like to know how to sensor out words/html tags that can cause XSS that our system does not normally detect as bad. Here is a snip lit of our user_class file:
Code: Select all
// DECODE TO MAKE HTML TAGS FOR PROFILE FIELDS VALID
$field_value_profile = htmlspecialchars_decode($field_value_profile, ENT_QUOTES);
// FORMAT VALUE FOR FORM
} else {
if($field_info[field_type] == 2) { $field_value = str_replace("<br>", "\r\n", $field_value); }
}
break;Any help I would greatly appreciate it!