aracnet
New Member
Joined: Oct 31, 2004
Posts: 3
|
 Posted:
Thu Apr 07, 2005 3:42 pm |
|
Once madman offered me the following script if you do not have magic quotes in mainfile.php.
I wanted to expand it for filtering scripts and tags. by renaming them like below . It does not work it doenst change the strings which has "script" in it. Where is the error?
Code:reset($_REQUEST);
foreach ($_REQUEST as $seckey => $secvalue)
{
$secvalue = strtolower($secvalue);
if (get_magic_quotes_gpc()) $secvalue = stripslashes($secvalue);
$secvalue = str_replace('\\', '&'.'#92;', $secvalue);
$secvalue = str_replace('\'', '&'.'#39;', $secvalue);
$secvalue = str_replace('"', '&'.'quot;', $secvalue);
$secvalue = str_replace("\x00", '', $secvalue);
$secvalue = str_replace('script', 'scprt', $secvalue);
$secvalue = str_replace('style', 'styyle', $secvalue);
if (isset($_GET[$seckey])) $_GET[$seckey] = $secvalue;
if (isset($_POST[$seckey])) $_POST[$seckey] = $secvalue;
if (isset($_COOKIE[$seckey])) $_COOKIE[$seckey] = $secvalue;
if (isset($HTTP_GET_VARS[$seckey])) $HTTP_GET_VARS[$seckey] = $secvalue;
if (isset($HTTP_POST_VARS[$seckey])) $HTTP_POST_VARS[$seckey] = $secvalue;
if (isset($HTTP_COOKIE_VARS[$seckey])) $HTTP_COOKIE_VARS[$seckey] = $secvalue;
}
|
Also i am wondering how forum module in nuke can allow scripts inside [ code ] tag. Although there is a filter for scripots in mainfile.php as :
Code:foreach ($_GET as $sec_key => $secvalue) {
if ((eregi("<[^>]*script*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*object*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*iframe*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*applet*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*meta*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*style*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*form*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*img*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*onmouseover*\"?[^>]*>", $secvalue)) ||
(eregi("\([^>]*\"?[^)]*\)", $secvalue)) ||
(eregi("\"", $secvalue)) ||
(eregi("forum_admin", $sec_key)) ||
(eregi("inside_mod", $sec_key))) {
die ("<center><img src=images/logo.gif><br><br><b>The html tags you attempted to use are not allowed</b><br><br>[ <a href=\"javascript:history.go(-1)\"><b>Go Back</b></a> ]");
}
}
foreach ($_POST as $secvalue) {
if ((eregi("<[^>]*onmouseover*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*script*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*style*\"?[^>]*>", $secvalue))) {
die ("<center><img src=images/logo.gif><br><br><b>The html tags you attempted to use are not allowed</b><br>[ <a href=\"javascript:history.go(-1)\"><b>Go Back</b></a> ]");
}
}
|
I just want to make it same as in my other modules.[/quote] |
| |
|
Raven
Site Admin/Owner
Joined: Aug 27, 2002
Posts: 17088
|
| Posted:
Fri Apr 08, 2005 10:53 pm |
|
Just a guess, but I see a possible typoCode:$secvalue = str_replace('script', 'scprt', $secvalue);
|
Did you mean scrpt instead of scprt? |
| |
|
![[Valid RSS]](https://www.ravenphpscripts.com/images/valid-rss.png "Validate my RSS feed"){kind=small}
