473,320 Members | 2,161 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,320 software developers and data experts.

XSS: Ways to disguise JavaScript tags?

Hi,

I'm trying to figure out how my users may use (or better misuse) the
input fields of my site to to insert JavaScript. I'm already replacing
all occurencies of "script" in every input field but I wanted to know
if anybody here ever stumbled upon a trick to disguise the <script>
tag?

Greets,
Snyke

Dec 17 '05 #1
5 2703
Method 1: Use "javascript:" in URLs.

Example: <img src="javascript: [do stuff here] ">

IE will blissfully execute the line.

Method 2: Put Javascript into handlers.

Example: <img onerror=" [do stuff here] " src="bobo.gif">

Method 3: Insert <script> in between letters of "script".

Example: <scr<script>ipt> .... </sc<script>ript>

After your code removes the bogus script tags, the ones that does
the real damage will reform.
Allowing users to inject HTML into your pages is asking for trouble.
Even if you managed to filter out all Javascript, there are still
plenty of other tricks that can be played: inner frames, base tags, CSS
positioning, ActiveX controls, etc..

Just make sure plain text fields are always passed through
htmlspecialchars() before output, then you're safe.

Dec 17 '05 #2
On 2005-12-17, Christian Decker <De**************@gmail.com> wrote:
Hi,

I'm trying to figure out how my users may use (or better misuse) the
input fields of my site to to insert JavaScript. I'm already replacing
all occurencies of "script" in every input field but I wanted to know
if anybody here ever stumbled upon a trick to disguise the <script>
tag?


Just search the web for a XSS cheat sheet...

--
Met vriendelijke groeten,
Tim Van Wassenhove <http://timvw.madoka.be>
Dec 17 '05 #3
Thanks for the tips,

I now delete everything between < and > that I don't allow.
Anything else?

Greets,
Snyke

Dec 18 '05 #4
As Chung Leong said...

Why not just use:

htmlspecialchars() to keep the tags, but in a safer form-
http://au3.php.net/manual/en/functio...ecialchars.php

strip_tags totally remove html tags except for ones you allow.-
http://au3.php.net/manual/en/function.strip-tags.php

Dec 18 '05 #5
It's a requirement given by my boss that I allow some basic formatting
using HTML, BBCode is not an option :-(
I know it sucks but that's what I was told...

Dec 18 '05 #6

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

4
by: Leila | last post by:
Hi, I am having a problem retrieving the html tags from my XML document when it's being loaded into a DOM object. For example, my xml contains the following: <my:InsideView> .. ..
1
by: Aaron | last post by:
Is asp.net immune to XSS exploits out of the box? or is this only true for VS shipped web controls?
0
by: Christian Decker | last post by:
Hi, I'm trying to figure out how my users may use (or better misuse) the input fields of my site to to insert JavaScript. I'm already replacing all occurencies of "script" in every input field...
1
by: Piper707 | last post by:
Hi, I'd like to know if there are any more ways of restricting an XML document to having only non-empty tags (containing Strings). I can think of 2 ways: 1) <xs:simpleType name="tagName">
4
by: Jim Carlock | last post by:
Are the XSS / Cross Site Scripting attacks fixed in Version 4.44? I'm seeing that $_SERVER doesn't return the $_SERVER appended to it. I was just messing with a few things and noticed that...
2
by: helraizer1 | last post by:
Hi all, I've noticed on my friend's site www.sheepeep.com/index.php?p=1 that is easy to manipulate with XSS, I don't mean it in a malicious way at all, just to give an idea as to what people can...
7
by: Petra Meier | last post by:
Hello, if I use the following function for all my mySql commands in php, am I protected against all SQLinjections and XSS attacks? function sanitize($value){ return...
3
by: nigelesquire | last post by:
Please help! I'm trying to clone and delete multiple rows with JavaScript. I need two delete buttons that work...! I only have one for now, but it's not working properly, the output count is...
0
by: DolphinDB | last post by:
The formulas of 101 quantitative trading alphas used by WorldQuant were presented in the paper 101 Formulaic Alphas. However, some formulas are complex, leading to challenges in calculation. Take...
0
by: ryjfgjl | last post by:
ExcelToDatabase: batch import excel into database automatically...
1
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
0
by: jfyes | last post by:
As a hardware engineer, after seeing that CEIWEI recently released a new tool for Modbus RTU Over TCP/UDP filtering and monitoring, I actively went to its official website to take a look. It turned...
0
by: ArrayDB | last post by:
The error message I've encountered is; ERROR:root:Error generating model response: exception: access violation writing 0x0000000000005140, which seems to be indicative of an access violation...
1
by: PapaRatzi | last post by:
Hello, I am teaching myself MS Access forms design and Visual Basic. I've created a table to capture a list of Top 30 singles and forms to capture new entries. The final step is a form (unbound)...
0
by: Defcon1945 | last post by:
I'm trying to learn Python using Pycharm but import shutil doesn't work
1
by: Shællîpôpï 09 | last post by:
If u are using a keypad phone, how do u turn on JavaScript, to access features like WhatsApp, Facebook, Instagram....
0
by: Faith0G | last post by:
I am starting a new it consulting business and it's been a while since I setup a new website. Is wordpress still the best web based software for hosting a 5 page website? The webpages will be...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.