Ticket #116 (new defect)

Opened 5 years ago

Last modified 4 years ago

Code cleaning QTextBoxBase.class.php

Reported by: marcosdsanchez Owned by: somebody
Priority: minor Milestone: 1.2
Component: QForms Version:
Keywords: Cc:

Description

We really need to clean up this messy code and change it with a suitable regexp

					// Check for cross scripting patterns
						// TODO: Change this to RegExp						
						$strText = strtolower($this->strText);
						if ((strpos($strText, '<script') !== false) ||
							(strpos($strText, '<applet') !== false) ||
							(strpos($strText, '<embed') !== false) ||
							(strpos($strText, '<style') !== false) ||
							(strpos($strText, '<link') !== false) ||
							(strpos($strText, '<body') !== false) ||
							(strpos($strText, '<iframe') !== false) ||
							(strpos($strText, 'javascript:') !== false) ||
							(strpos($strText, ' onfocus=') !== false) ||
							(strpos($strText, ' onblur=') !== false) ||
							(strpos($strText, ' onkeydown=') !== false) ||
							(strpos($strText, ' onkeyup=') !== false) ||
							(strpos($strText, ' onkeypress=') !== false) ||
							(strpos($strText, ' onmousedown=') !== false) ||
							(strpos($strText, ' onmouseup=') !== false) ||
							(strpos($strText, ' onmouseover=') !== false) ||
							(strpos($strText, ' onmouseout=') !== false) ||
							(strpos($strText, ' onmousemove=') !== false) ||
							(strpos($strText, ' onclick=') !== false) ||
							(strpos($strText, '<object') !== false) ||
							(strpos($strText, 'background:url') !== false))
							throw new QCrossScriptingException($this->strControlId);

Change History

Changed 5 years ago by VexedPanda

Unfortunately, cross-site-scripting is pretty complex. I'd recommend adopting something like htmlpurifier rather than re-inventing the wheel.

Changed 4 years ago by alex94040

  • milestone changed from 1.1 to 1.2
Note: See TracTickets for help on using tickets.