View Full Version : Network site, safely block bad code.

11-09-2006, 05:20 AM
w.o blocking everything, i need a better fin and replace system than this, what would be the best, and what all do i need to block out.. what all does myspace block? and how do they do it?

if (!strstr($about, "[code]")) {
include($phpbb_root_path . 'includes/file.'.$phpEx);
foreach ($word as $key => $file) {
$about = eregi_replace ( (sql_regcase("$key")), "$file", $about);
$about = str_replace("[code]", "", $about);

that is what i do right now, and it pulls from "file.php" and replaces things.

but is there a better way?
and again, what all should be blocked. <javascript> has sooo many ways to get around. but myspace has it down pact for the most part, so what all do they block?

11-09-2006, 09:30 AM
you tried

$code = POST_['code'];
$str = "<";
$str1 = ">";
str_replace("$str", "&lt;" "$code");
str_replace($str1, "&gt;", "$code");

i think this is right, although not that familiar with using str_replace

11-09-2006, 03:42 PM
yea that would block all html out of my site :p
and that would piss users off, and they would just go back to myspace.

but all i want to do is block malicious code. and i got most of it down.

but how would i go about blocking invalid img tags, see myspace does it somhow.

<img src="image.jpg"> <img src="image.png"> <img src="image.bmp> ect ect all work, but if you attmept to enter one w.o a valid file extension it turns into ..

<img turns into ..

<img src turns into ..

and so on, no matter how you type it, if it is not valid it wont allow it.
so how do they do that?

11-09-2006, 09:33 PM
what code you trying to change/block?

$str = '<img scr="*.PNG">'; //* is a wildcard
str_replace('$str', 'WARNING PNG Files Not Allowed', '$str');

something like this?

11-10-2006, 02:24 PM
no, i think that would block the image png right?
i dont want to block images, here is a overview of what myspace does when you try to use the image tag.

<img src="blah.jpg"> Image would work

<img src="blah.png"> Image would work

<img src="blah.bmp"> Image would work

<img src="blah.gif"> Image would work

<img src="blah.tif"> Image would work

<img would be filtered

<img src would be filtered

<img src="blah.fake"> would be filtered

<img src="blah"> would be filtered

<IMG SRC="javascript:alert('XSS');"> would be filtered

i wanna do the same thing, it only allows img tags to bypass the filter if they have a valid file extension

11-10-2006, 05:14 PM
so you would want to create a script like

$filetype = //get the filetype of the image
$array = array(PNG, png, JPG, jpg, BMP, bmp, otherext);
if ($imgtype != $array)
Echo "file type not supported!";
//you code here if image allowed