thoughts, ideas, code and other things...

Monday, September 03, 2007

Stripping our javascript from user-input

Yesterday evening in the snail-slow-sluggish-s-s-s internet lab, Shaabi showed me the social networking website he had been working on from his school days. I immediately did very nasty things with its scrapbook feature which he was working on -

  • Inserted really really huge images into scrapbook entries. Allright no issues :D
  • Inserted javascript, it was prone to XSS. Okay still no biggie :D
  • Inserted recursive IFRAME tags!! Boom, maybe our sssslow lab systems can’t handle it.

We found out a snippet to get rid of such inputs and he quickly fixed the website.
]*?>.*?@si', // Strip out javascript
'@]*?>.*?@si', // Strip out javascript
'@]*?>.*?@siU', // Strip style tags properly
'@<[\/\!]*?[^<>]*?>@si', // Strip out HTML tags
'@@' // Strip multi-line comments including CDATA
$text = preg_replace ($search, '', $document );
return $text;

Labels: ,


Post a Comment

Subscribe to Post Comments [Atom]

<< Home