Welcome to HBH! If you had an account on hellboundhacker.org you will need to reset your password using the Lost Password system before you will be able to login.

XSS filter (PHP)

  1. Home
  2. Forum
  3. Web hacking
  4. XSS filter (PHP)

Uber0n's Avatar

Uber0n

Member
0 0

I just have a question about XSS filters, although it's not about escaping them. I've found quite many sites with forms that allow HTML tags with a length of 3 characters to pass through the filter but remove all other ones. For example, the <u>, <b> and <i> tags get through but <br>, <script>, <iframe> and <img> do not.

What PHP function are the sites using, or is it just some kind of filter that they've written themselves? It could of course be strip_tags(), but then they must've set the filter argument to accept all of the short tags (and I can't see why anyone would do that in for example a registration form or search box…)

As I said, I've seen this on quite many sites so it's not just a single system that uses this solution… Any thoughts or ideas will be much appreciated B)


Mr_Cheese's Avatar

Mr_Cheese

0 1

either they have they're own custom function.

or its strip_tags($string, "<br><img><p>") etc


spyware's Avatar

spyware

Banned
0 0

Sounds like failed RegEx to me.


Uber0n's Avatar

Uber0n

Member
0 0

Mr_Cheese wrote: or its strip_tags($string, "<br><img><p>") etc I don't think so, since all tags I've tried have been blocked except for the shortest possible ones. I suppose it's either a custom function that many people use or a failed Regex then…

Thanks Cheese and Spyware ^^