Jump to content

Recommended Posts

  • Replies 64
  • Created
  • Last Reply

Top Posters In This Topic

Full path disclosure: Fatal error: Call to undefined function html_entities() in /home2/xausfco/public_html/calendar.php on line 9

Also, not really a hack, but can you try to correct the javascript so it's unobtrusive? The slideshows don't work without JS. Try using an image in noscript tags.

 

----------------

Now playing: Rage Against The Machine - Tire Me

via FoxyTunes

Full path disclosure: Fatal error: Call to undefined function html_entities() in /home2/xausfco/public_html/calendar.php on line 9

Also, not really a hack, but can you try to correct the javascript so it's unobtrusive? The slideshows don't work without JS. Try using an image in noscript tags.

 

----------------

Now playing: Rage Against The Machine - Tire Me

via FoxyTunes

 

Thank you for catching those 2! I got them both fixed. Very helpful :)

danny are you using strip_tags on calendar.php?  because my scanner is still picking up cross site scripting on it. ;)

 

to be more specific you can inject javascript into the year variable ;)

 

Also just a suggestion but the poll goes away after voting is there a way you could display the results? ;)

 

I did htmlentities bc I thought that by doing it, it erased any chance of using js/html. Do I need to use both?

 

And I know what you mean about displaying results... that's been me being lazy. I'll get to it by tomorrow night

also html entities does not strip out javascript it just  prints in text instead of executing , i would personally use strip_tags()

 

What if someone needs to search for HTML/Javascript? It might not be likely on the OP's site, but on others, such as this forum, it is an absolute necessity.

if he needs to allow html/javascript tage he can do

 

strip_tags($var,'html/javascript tags allowed here');

 

which solves the problem  ;)

 

You clearly don't get what I am saying. Sites a lot of times need to use/display EXACTLY what a user inputs. Also, you said that you wanted to stop javascript execution, it's not stopped if you allow "'html/javascript tags allowed here'".  ;)

 

But whatever, the conversation is a little irrevelant, I guess it all comes down to a matter of preference.

if he needs to allow html/javascript tage he can do

 

strip_tags($var,'html/javascript tags allowed here');

 

which solves the problem  ;)

 

You clearly don't get what I am saying. Sites a lot of times need to use/display EXACTLY what a user inputs. Also, you said that you wanted to stop javascript execution, it's not stopped if you allow "'html/javascript tags allowed here'".  ;)

 

But whatever, the conversation is a little irrevelant, I guess it all comes down to a matter of preference.

 

okay what you said does not make sense why would you want to inject javascript into a calendar? its dangerous! end of story! i would not allow any sort of javascript even in the allowed tags part. that is securing a script from cross site scripting.

1.Ok I said earlier that it's not that big of a deal on this site, but is for others.

 

2.In my first post in this thread I said stop the cross site scripting...so yeah...

 

3.You said 'allowed javascript'...

 

4.htmlentities with the ENT_QUOTES parameter stops cross site scripting with no loss of user input when displayed as text. Period.

 

But like I said, I don't want to argue with you, just want to give the OP another option.

1.Ok I said earlier that it's not that big of a deal on this site, but is for others.

 

2.In my first post in this thread I said stop the cross site scripting...so yeah...

 

3.You said 'allowed javascript'...

 

4.htmlentities with the ENT_QUOTES parameter stops cross site scripting with no loss of user input when displayed as text. Period.

 

But like I said, I don't want to argue with you, just want to give the OP another option.

 

I went ahead and did the ENT_QUOTES parameter for my htmlentities function. thank you for it, I wasn't aware of it.

^ haha, well someone out there has voted a few thousand times.

 

 

And can someone tell me how they're masking their ip? In my ip-tracking column, sometimes there's "<script>blahblah</script>" among other interesting stuff, but it's a field that the user had no control of(atleast I thought)


×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.