473,406 Members | 2,371 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

home > topics > php > questions > xss: ways to disguise javascript tags?

Join Bytes to post your question to a community of 473,406 software developers and data experts.

XSS: Ways to disguise JavaScript tags?

Hi,

I'm trying to figure out how my users may use (or better misuse) the
input fields of my site to to insert JavaScript. I'm already replacing
all occurencies of "script" in every input field but I wanted to know
if anybody here ever stumbled upon a trick to disguise the <script>
tag?

Greets,
Snyke

Dec 17 '05 #1
5 2709
Method 1: Use "javascript:" in URLs.

Example: <img src="javascript: [do stuff here] ">

IE will blissfully execute the line.

Method 2: Put Javascript into handlers.

Example: <img onerror=" [do stuff here] " src="bobo.gif">

Method 3: Insert <script> in between letters of "script".

Example: <scr<script>ipt> .... </sc<script>ript>

After your code removes the bogus script tags, the ones that does
the real damage will reform.
Allowing users to inject HTML into your pages is asking for trouble.
Even if you managed to filter out all Javascript, there are still
plenty of other tricks that can be played: inner frames, base tags, CSS
positioning, ActiveX controls, etc..

Just make sure plain text fields are always passed through
htmlspecialchars() before output, then you're safe.

Dec 17 '05 #2
On 2005-12-17, Christian Decker <De**************@gmail.com> wrote:
Hi,

I'm trying to figure out how my users may use (or better misuse) the
input fields of my site to to insert JavaScript. I'm already replacing
all occurencies of "script" in every input field but I wanted to know
if anybody here ever stumbled upon a trick to disguise the <script>
tag?


Just search the web for a XSS cheat sheet...

--
Met vriendelijke groeten,
Tim Van Wassenhove <http://timvw.madoka.be>
Dec 17 '05 #3
Thanks for the tips,

I now delete everything between < and > that I don't allow.
Anything else?

Greets,
Snyke

Dec 18 '05 #4
As Chung Leong said...

Why not just use:

htmlspecialchars() to keep the tags, but in a safer form-
http://au3.php.net/manual/en/functio...ecialchars.php

strip_tags totally remove html tags except for ones you allow.-
http://au3.php.net/manual/en/function.strip-tags.php

Dec 18 '05 #5
It's a requirement given by my boss that I allow some basic formatting
using HTML, BBCode is not an option :-(
I know it sucks but that's what I was told...

Dec 18 '05 #6
New Post

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

4
CDATA within Javascript function
by: Leila | last post by:
Hi, I am having a problem retrieving the html tags from my XML document when it's being loaded into a DOM object. For example, my xml contains the following: <my:InsideView> .. ..
.NET Framework
1
asp.net XSS protection
by: Aaron | last post by:
Is asp.net immune to XSS exploits out of the box? or is this only true for VS shipped web controls?
ASP.NET
0
XSS: Ways to disguise JavaScript tags?
by: Christian Decker | last post by:
Hi, I'm trying to figure out how my users may use (or better misuse) the input fields of my site to to insert JavaScript. I'm already replacing all occurencies of "script" in every input field...
PHP
1
XSD: ways of restricting xml to non-empty tags?
by: Piper707 | last post by:
Hi, I'd like to know if there are any more ways of restricting an XML document to having only non-empty tags (containing Strings). I can think of 2 ways: 1) <xs:simpleType name="tagName">
.NET Framework
4
XSS / Cross Site Scripting Attacks Fixed $_SERVER['PHP_SELF'] ?
by: Jim Carlock | last post by:
Are the XSS / Cross Site Scripting attacks fixed in Version 4.44? I'm seeing that $_SERVER doesn't return the $_SERVER appended to it. I was just messing with a few things and noticed that...
PHP
2
How would one protect against XSS - HTML injection?
by: helraizer1 | last post by:
Hi all, I've noticed on my friend's site www.sheepeep.com/index.php?p=1 that is easy to manipulate with XSS, I don't mean it in a malicious way at all, just to give an idea as to what people can...
PHP
7
Question on SQLinjection and XSS
by: Petra Meier | last post by:
Hello, if I use the following function for all my mySql commands in php, am I protected against all SQLinjections and XSS attacks? function sanitize($value){ return...
PHP
3
Cloning and Deleting Multiple Rows with Javascript
by: nigelesquire | last post by:
Please help! I'm trying to clone and delete multiple rows with JavaScript. I need two delete buttons that work...! I only have one for now, but it's not working properly, the output count is...
Javascript
0
How to turn on java script in a villaon keypad mobile phone
by: Charles Arthur | last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
Java
0
Migrating Website to Cloud - Emmanuel Katto
by: emmanuelkatto | last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud. Please let me know. Thanks! Emmanuel
General
0
BarryA
Navigating the Data Structures and Algorithms (DSA)
by: BarryA | last post by:
What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...
Algorithms / Advanced Math
1
Looking to do Android software development, any suggestions? Is flutter better?
by: nemocccc | last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
General
0
Changing the language in Windows 10
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
Windows Server
0
Oralloy
Problem With Comparison Operator <=> in G++
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers,...
C / C++
0
jinu1996
Maximizing Business Potential: The Nexus of Website Design and Digital Marketing
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
Online Marketing
0
tracyyun
Discussion: How does Zigbee compare with other wireless protocols in smart home applications?
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each...
General
0
agi2029
AI Job Threat for Devs
by: agi2029 | last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing,...
Career Advice

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes:
Post a Job
Sponsored Posts
Platinum & Gold Sponsors
Hire Now!