Unfiltered form accepts <script> tag , it's dangerous ?

[invader7]

Hello , i have a message form which saves the contents to database and shows it when requested , i used to filter some hardcoded tags like <?php ?> but i found it is vulnerable to <script>alert(1);</script>


Javascript is client side , so the vulnerability is dangerous only for clients (there are no clients till now). Is there any rush for me to patch this bug as soon as possible ? Is there any fear for compromising my server or find any info for the server ?

[Kulverstukas]

so then why don't don't you use regex and strip the tags, or just remove the text along with those tags...? however I am sure there are better ways to do it

[invader7]

so then why don't don't you use regex and strip the tags, or just remove the text along with those tags...? however I am sure there are better ways to do it

I don't want to remove all tags , im using regex to find the tags i want to remove but i didn't thought about script ! is this dangerous at the moment i have to rush ? Always talking for the server !

[techb]

Yes, patch it. You never want something that can run scripts or code without your direct control over. Having clients being able to store and run scripts is bad.

[invader7]

Thanks !! i will , i im controlling tags like this :


if user wants to post <?php echo phpinfo(); ?> i will make it <!--?php echo phpinfo(); ?-->


is this enough ?


im using php 5.3.3

[techb]

Why not remove or reject the entries?

[invader7]

Why not remove or reject the entries?

Don't know just a quick thought , is it insecure way ? or just a waste..

[techb]

It's a quick and dirty way, but removing the entries all together would be ideal.

[invader7]

It's a quick and dirty way, but removing the entries all together would be ideal.

thanks !!

[ande]

This is a classic XSS example. I suggest you read up on it. Why don't you just filter everything with htmlspecialchars() or htmlentities()? I sure hope you are escaping the database query with PDO prepared statements or mysql_real_escape_string()

[invader7]

This is a classic XSS example. I suggest you read up on it. Why don't you just filter everything with htmlspecialchars() or htmlentities()? I sure hope you are escaping the database query with PDO prepared statements or mysql_real_escape_string()

Yes i have my queries secured thanks !! I know im XSS vulnerable right now but its ok because im in development stage , for one moment i thought that im exposing my server to a server side script. But im safe ! Client side attacks are harmless for the server (i think )

[ande]

Yes i have my queries secured thanks !! I know im XSS vulnerable right now but its ok because im in development stage , for one moment i thought that im exposing my server to a server side script. But im safe ! Client side attacks are harmless for the server (i think )

Client side attacks (XSS) would allow an attacker to steal your session(s)/cookies and be logged in (if there is a login) without even typing username/password. But you are correct. XSS cannot harm the server directly.

[invader7]

Client side attacks (XSS) would allow an attacker to steal your session(s)/cookies and be logged in (if there is a login) without even typing username/password. But you are correct. XSS cannot harm the server directly.

Yes i know about cookie stealing , i was afraid about posting <?php tags to my messages. Thanks a lot for your time !! I appreciate it !

[ande]

Yes i know about cookie stealing , i was afraid about posting <?php tags to my messages. Thanks a lot for your time !! I appreciate it !

The PHP tags/code wouldn't be able to execute unless you ran it through eval().

[invader7]

The PHP tags/code wouldn't be able to execute unless you ran it through eval().

What do you mean , how i'm supposed to run eval() if i cant enclose it at <?php tag ?