dsaba Posted December 16, 2007 Share Posted December 16, 2007 Short & Sweet regex tester I made that checks for matches in a haystack and regex string live with AJAX. I'm sure there are security holes. Let me know if you find some. Otherwise I'd thought I'd share this handy online app. Something like this is so simple to make, its unbelievable that most online regex testers I've tried can't even check for matches live like a win32 app can. http://tinyurl.com/2vfgjq Link to comment Share on other sites More sharing options...
agentsteal Posted December 16, 2007 Share Posted December 16, 2007 Cross Site Scripting: There is Cross Site Scripting if the Expect header contains code. Cross Site Scripting: There is Cross Site Scripting if the regex contains ~code~. Cross Site Scripting: There is Cross Site Scripting if the haystack contains ~code~. Link to comment Share on other sites More sharing options...
dsaba Posted December 16, 2007 Author Share Posted December 16, 2007 There is Cross Site Scripting through the Expect header. Could you explicate on that? on the ajax? How could I fix it? Link to comment Share on other sites More sharing options...
dsaba Posted December 19, 2007 Author Share Posted December 19, 2007 could you give me an example of XSS that can attack my site according to what you've noticed, agentsteal? I also added highlighting for the full pattern match (yellow) and highlighting for each substring within the full pattern match (multiple colors) Link to comment Share on other sites More sharing options...
effigy Posted December 19, 2007 Share Posted December 19, 2007 1. It states "make sure you have delimiters for preg flavor" when I'm not using preg. 2. I cannot paste/enter multi-line patterns into the Regex field. Link to comment Share on other sites More sharing options...
dsaba Posted December 20, 2007 Author Share Posted December 20, 2007 This error msg is a default error msg I have in case any error for any flavor. Is it possible to grab the error messages that php sends out that causes the script to die. So i can parse through the error msg and display only what I want, like not the line number and local path of the script. here's an example of something i want to grab and parse through before it dies: Warning: preg_match_all() [function.preg-match-all]: Delimiter must not be alphanumeric or backslash in C:\Program Files\....file.php on line 247 Link to comment Share on other sites More sharing options...
Daniel0 Posted December 20, 2007 Share Posted December 20, 2007 This error msg is a default error msg I have in case any error for any flavor. Is it possible to grab the error messages that php sends out that causes the script to die. So i can parse through the error msg and display only what I want, like not the line number and local path of the script. here's an example of something i want to grab and parse through before it dies: Warning: preg_match_all() [function.preg-match-all]: Delimiter must not be alphanumeric or backslash in C:\Program Files\....file.php on line 247 http://php.net/set_error_handler Link to comment Share on other sites More sharing options...
anthrt Posted December 24, 2007 Share Posted December 24, 2007 You arent doing any validation on the seeSaved variable in regex_tester.php, you can use any character and it exposes your absolute path. http://nancywalshee03.freehostia.com/regextester/regex_tester.php?seeSaved=hello http://nancywalshee03.freehostia.com/regextester/regex_tester.php?seeSaved=../ Out of curiosity, how are you generating the sample script's variable names? i.e. 6fzm0zcc etc? Link to comment Share on other sites More sharing options...
Recommended Posts