I wouldn't rely on that library by itself. As I emailed Kallahar quite a while ago about it is still vulnerable to at least one issue: <IMG SRC=ja&#x09;vascrip&#x09;t:alert(String.fromCharCode(88,83,83));> This works in IE6.0 and Opera 9.0. What it is doing is converting HTML entities into their ASCII equivalent. By doing that he is changing my string, "&#x09;" into "	" which is a newline, and injected within the javascript directive it breaks it up. This is a pretty good example of why conversion filters can be used against you. -RSnake http://ha.ckers.org/ http://sla.ckers.org/ On Sat, 21 Oct 2006, suppressed wrote:
Good find on this.
Here is the fix I applied:
Find on line ~85 in Sources/Search.php:
foreach ($temp_params as $i => $data)
{
@list ($k, $v) = explode('|\'|', $data);
$context['search_params'][$k] = stripslashes($v);
}
Change to:
foreach ($temp_params as $i => $data)
{
@list ($k, $v) = explode('|\'|', $data);
$context['search_params'][$k] = RemoveXSS(stripslashes($v));
}
The RemoveXSS function is taken from the following site:
http://quickwired.com/kallahar/smallprojects/php_xss_filter_function.php
I hope that handles all the issue related to this.
Mail converted by mhonarc 2.6.15
This archive provided courtesy of JSW4.NET, Internet Hosting Services for Small Business.