|
|
楼主 |
发表于 2011-12-9 13:58:53
|
显示全部楼层
Hex 发表于 2011-12-8 21:11 
2.0 版本的我没有试过 XSS,我知道的 1.7.3 是没问题的。
不排除是BUG。
我看了一下核心代码原来是2.0比1.7.3多用了一个过滤的方法,在system\core\Security.php的562行,代码如下
PHP复制代码 /*
* Remove Evil HTML Attributes (like evenhandlers and style)
*
* It removes the evil attribute and either:
* - Everything up until a space
* For example, everything between the pipes:
* <a |style=document.write('hello');alert('world');| class=link>
* - Everything inside the quotes
* For example, everything between the pipes:
* <a |style="document.write('hello'); alert('world');"| class="link">
*
* @param string $str The string to check
* @param boolean $is_image TRUE if this is an image
* @return string The string with the evil attributes removed
*/
protected function _remove_evil_attributes ($str, $is_image)
{
// All javascript event handlers (e.g. onload, onclick, onmouseover), style, and xmlns
$evil_attributes = array('on\w*', 'style', 'xmlns');
if ($is_image === TRUE)
{
/*
* Adobe Photoshop puts XML metadata into JFIF images,
* including namespacing, so we have to allow this for images.
*/
unset($evil_attributes[array_search('xmlns', $evil_attributes)]);
}
do {
$str = preg_replace(
"#<(/?[^><]+?)([^A-Za-z\-])(".implode('|', $evil_attributes).")(\s*=\s*)([\"][^>]*?[\"]|[\'][^>]*?[\']|[^>]*?)([\s><])([><]*)#i",
"<$1$6",
$str, -1, $count
);
} while ($count);
return $str;
} |
|
[复制链接]
IP卡
狗仔卡
显身卡
发表于 2011-12-9 14:09:58
发表于 2011-12-16 20:14:26