neralex
|
 Posted:
Sat Jun 28, 2014 10:12 am |
|
That was my first idea but the tag is inside the array and as admin I can store the iframe-tag without a hit. This array has no restrictions for user/admins and the other thing is I'm getting a sentinel block-page with Abuse-Script.
In nukesentinel.php I found this:
php Code:function var_scripting_recursive($array, $type, $blocker_row) {
foreach ($array as $sec_key => $secvalue) {
if (is_array($secvalue)) {
var_scripting_recursive($secvalue, $type, $blocker_row);
} else {
if ($type == 'get') {
if((preg_match('/<[^>]script*\"?[^>]*>/i', $secvalue)) ||
(preg_match('/<[^>]*object*\"?[^>]*>/i', $secvalue)) ||
(preg_match('/<[^>]*iframe*\"?[^>]*>/i', $secvalue)) ||
(preg_match('/<[^>]*applet*\"?[^>]*>/i', $secvalue)) ||
(preg_match('/<[^>]*meta*\"?[^>]*>/i', $secvalue)) ||
(preg_match('/<[^>]style*\"?[^>]*>/i', $secvalue)) ||
(preg_match('/<[^>]*form*\"?[^>]*>/i', $secvalue)) ||
(preg_match('/<[^>]*img*\"?[^>]*>/i', $secvalue)) ||
(preg_match('/<[^>]*onmouseover*\"?[^>]*>/i', $secvalue)) ||
(preg_match('/<[^>]body*\"?[^>]*>/i', $secvalue) && !preg_match('/<[^>]tbody*\"?[^>]*>/i', $secvalue)) ||
(preg_match('/\([^>]*\"?[^)]*\)/i', $secvalue)) ||
(strstr($secvalue, '\"')) ||
(stristr($sec_key, 'forum_admin')) ||
(stristr($sec_key, 'inside_mod'))) {
block_ip($blocker_row);
}
}
if ($type == 'post'){
if(( preg_match('/<[^>]*iframe*\"?[^>]*/i', $secvalue)) ||
( preg_match('/<[^>]*object*\"?[^>]*/i', $secvalue)) ||
( preg_match('/<[^>]*applet*\"?[^>]*/i', $secvalue)) ||
( preg_match('/<[^>]*meta*\"?[^>]*/i', $secvalue)) ||
( preg_match('/<[^>]*onmouseover*\"?[^>]*/i', $secvalue)) ||
( preg_match('/<[^>]script*\"?[^>]*/i', $secvalue)) ||
( preg_match('/<[^>]body*\"?[^>]*>/i', $secvalue) && !preg_match('/<[^>]tbody*\"?[^>]*>/i', $secvalue)) ||
( preg_match('/<[^>]style*\"?[^>]*/i', $secvalue))) {
block_ip($blocker_row);
}
}
}
}
}
|
I changed it to this one:
php Code:function var_scripting_recursive($array, $type, $blocker_row) {
foreach ($array as $sec_key => $secvalue) {
if (is_array($secvalue)) {
var_scripting_recursive($secvalue, $type, $blocker_row);
} else {
if ($type == 'get') {
if((preg_match('/<[^>]script*\"?[^>]*>/i', $secvalue)) ||
(preg_match('/<[^>]*object*\"?[^>]*>/i', $secvalue)) ||
#(preg_match('/<[^>]*iframe*\"?[^>]*>/i', $secvalue)) ||
(preg_match('/<[^>]*applet*\"?[^>]*>/i', $secvalue)) ||
(preg_match('/<[^>]*meta*\"?[^>]*>/i', $secvalue)) ||
(preg_match('/<[^>]style*\"?[^>]*>/i', $secvalue)) ||
(preg_match('/<[^>]*form*\"?[^>]*>/i', $secvalue)) ||
(preg_match('/<[^>]*img*\"?[^>]*>/i', $secvalue)) ||
(preg_match('/<[^>]*onmouseover*\"?[^>]*>/i', $secvalue)) ||
(preg_match('/<[^>]body*\"?[^>]*>/i', $secvalue) && !preg_match('/<[^>]tbody*\"?[^>]*>/i', $secvalue)) ||
(preg_match('/\([^>]*\"?[^)]*\)/i', $secvalue)) ||
(strstr($secvalue, '\"')) ||
(stristr($sec_key, 'forum_admin')) ||
(stristr($sec_key, 'inside_mod'))) {
block_ip($blocker_row);
}
}
if ($type == 'post'){
#if(( preg_match('/<[^>]*iframe*\"?[^>]*/i', $secvalue)) ||
if(( preg_match('/<[^>]*object*\"?[^>]*/i', $secvalue)) ||
( preg_match('/<[^>]*applet*\"?[^>]*/i', $secvalue)) ||
( preg_match('/<[^>]*meta*\"?[^>]*/i', $secvalue)) ||
( preg_match('/<[^>]*onmouseover*\"?[^>]*/i', $secvalue)) ||
( preg_match('/<[^>]script*\"?[^>]*/i', $secvalue)) ||
( preg_match('/<[^>]body*\"?[^>]*>/i', $secvalue) && !preg_match('/<[^>]tbody*\"?[^>]*>/i', $secvalue)) ||
( preg_match('/<[^>]style*\"?[^>]*/i', $secvalue))) {
block_ip($blocker_row);
}
}
}
}
}
|
Note: for websites with many users they have the choice to publish articles or other content in forms is it maybe not the best way to remove the restrictions for iframes but in a time where youtube, soundcloud and other big networks are providing embedded content in iframes and registered users should have the choice to use it in forms to publish their content in RN, then is it a way to solve it. |
| |
|
![[Valid RSS]](https://www.ravenphpscripts.com/images/valid-rss.png "Validate my RSS feed"){kind=small}
