...

View Full Version : Network site, safely block bad code.



LancXeon
11-09-2006, 06:20 AM
w.o blocking everything, i need a better fin and replace system than this, what would be the best, and what all do i need to block out.. what all does myspace block? and how do they do it?



//about
if (!strstr($about, "[code]")) {
include($phpbb_root_path . 'includes/file.'.$phpEx);
foreach ($word as $key => $file) {
$about = eregi_replace ( (sql_regcase("$key")), "$file", $about);
}
}
$about = str_replace("[code]", "", $about);




that is what i do right now, and it pulls from "file.php" and replaces things.

but is there a better way?
and again, what all should be blocked. <javascript> has sooo many ways to get around. but myspace has it down pact for the most part, so what all do they block?

rafiki
11-09-2006, 10:30 AM
you tried



$code = POST_['code'];
$str = "<";
$str1 = ">";
str_replace("$str", "&lt;" "$code");
str_replace($str1, "&gt;", "$code");

i think this is right, although not that familiar with using str_replace

LancXeon
11-09-2006, 04:42 PM
yea that would block all html out of my site :p
and that would piss users off, and they would just go back to myspace.

but all i want to do is block malicious code. and i got most of it down.

but how would i go about blocking invalid img tags, see myspace does it somhow.

<img src="image.jpg"> <img src="image.png"> <img src="image.bmp> ect ect all work, but if you attmept to enter one w.o a valid file extension it turns into ..

<img turns into ..

<img src turns into ..

and so on, no matter how you type it, if it is not valid it wont allow it.
so how do they do that?

rafiki
11-09-2006, 10:33 PM
what code you trying to change/block?



$str = '<img scr="*.PNG">'; //* is a wildcard
str_replace('$str', 'WARNING PNG Files Not Allowed', '$str');


something like this?

LancXeon
11-10-2006, 03:24 PM
no, i think that would block the image png right?
i dont want to block images, here is a overview of what myspace does when you try to use the image tag.



<img src="blah.jpg"> Image would work

<img src="blah.png"> Image would work

<img src="blah.bmp"> Image would work

<img src="blah.gif"> Image would work

<img src="blah.tif"> Image would work

<img would be filtered

<img src would be filtered

<img src="blah.fake"> would be filtered

<img src="blah"> would be filtered

<IMG SRC="javascript:alert('XSS');"> would be filtered


i wanna do the same thing, it only allows img tags to bypass the filter if they have a valid file extension

rafiki
11-10-2006, 06:14 PM
so you would want to create a script like



$filetype = //get the filetype of the image
$array = array(PNG, png, JPG, jpg, BMP, bmp, otherext);
if ($imgtype != $array)
{
Echo "file type not supported!";
}
else
{
//you code here if image allowed
}



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum