Jump to content

Recommended Posts

http://scott.projecth4x0r.com/beta2/message.php?id=203

 

Might want to limit the size of signatures.  As I said before, your edit signature is annoying. All HTML is stripped, yet it changes BBCode to HTML for the next time you go in to change something, so you have to change the entire thing.

I know why everything isnt working, there is a new beta testing link:

 

http://scott.projecth4x0r.com/beta2

 

There is where everything is more secure.

 

XSS still there on that beta2 though.

http://scott.projecth4x0r.com/beta2/message.php?id=\%22%3E%3Cmarquee%3ESTEPHENS%20TESTLOL%3C/marquee%3E

 

Also:

http://scott.projecth4x0r.com/beta2/member.php?username=%22%3E%3Cmarquee%3ESTEPHENS%20TESTLOL%3C/marquee%3E

 

You should make it so if the user doesn't exist, it doesn't show that page.

I'd recommend that you escape HTML entities before you output them and not before you insert them into the database. They pose no security risk in the database. The benefit of doing it on each request is that former exploits will be fixed when you deploy a security fix if you do it when outputting it. Had you done it when inserting instead then all existing exploits will still exist and will therefore not be fixed by the new changes. You have far greater control over the content in that way.

 

It also seems that you're parsing bbcodes and such upon insertion into the database. Again, I'd recommend against that. If you parse them when outputting you will instead be able to have greater control over the content - existing content in particular. In that way you can add changes to the bbcode parser and those changes will be immediately reflected on existing and future content.

We perfer to change everything when inputing simply because it is easyer and works just as well.

 

I didnt code the bbcode so dont ask me, the other coder did.

But if you're editing the message it would show <img src=""></img> instead of [.img][./img], which would make it harder for the user to edit. If you parse the bbcode when the user is viewing the message then it would make it easier.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.