Navigation
Comments Tweak 6
28 March 2009
Another release of the Comments Tweak is at hand! The Javascript exploits, mostly along the lines of [url=javascript:exploit()], used to be a wide-open security hole in Comments. However, this isn't a problem any more. Release 6 has improved code clarity, along with this fairly major update.
For those interested, the way it worked was thus: The BBCode filter was run before /\[url\=javascript:(.*?)\]/ was searched for. The result? A lot of <a href="javascript:">, since all of the [url]s had been turned into anchors/links already! I managed to miss this for a while. Once this was found, and the search moved up to before the BBCode transformation, the problem was solved.
asdfasd
I'm gonna assume that was a JS exploit test.
i was checking for case exploits. now some more
javascript:alert('hi');
js still works :)
through an alert box
That first example was something that won't be fixed. Two things dictate this:
a) The JS isn't executed until it's clicked
b) The user can clearly see that it's some kind of JS link
Therefore, it's only a security risk if the user actually clicks a link that's clearly not to a website.
The second demo should just require a second filter for Unicode characters (javascript, aka "javascript"). Fix should be up within minutes, still as Release 6
js still works :)
through an alert box
People often say that. Take a look at my blog post on it. See the js is disguised as an actual link leading to havoc. ">test
[url=" onload="this.style.fontWeight='bold'"]test[/url
[url="\'" onload="this.style.fontWeight='bold'"]test[/url
Dette er en prøve