Welcome to HBH! If you have tried to register and didn't get a verification email, please using the following link to resend the verification email.

Bypassing striphtmlchars()

  1. Home
  2. Forum
  3. Hacking in general
  4. Bypassing striphtmlchars()

ghost's Avatar

ghost

0 0

Basiaclly I was wondering if anyone knows how to properly bypass this. I know that if I encode the html tag (<script>) into: Decimal NCRs:*script Hexadecimal NCRs:<script> And probebly more like UTF-7/8 or something but when I try stuff like(Decimal NCRs - "><script>alert(1)</script>): "scriptalert(1)/script On the site it allows it to be added but the alert isn't there (it wil say something like: No results found for "><script>alert(1)</script>) So if anyone could help me out that would be great. Edit: Decimal NCRs: = <script> encoded in Decimal NCRs:same with Hexadecimal NCRs: where it says (Decimal NCRs - "><script>alert(1)</script>): it means "><script>alert(1)</script> encoded in Decimal NCRs thats where it says "scriptalert(1)/script (to avoid XSS on the forum) Sorry for being such a twat/moron/imbecile/retard/spaz I wasn't thinking :( I hang my head in shame P.S a place to convert them http://rishida.net/scripts/uniview/conversion.php Once again sorry Thanks SaMTHG:)


spyware's Avatar

spyware

Banned
0 0

Can't understand a thing you're trying to say. Also; smileys.


ghost's Avatar

ghost

0 0

Sorry I didn't think. HBH filters decoded the encoded script


Night_Stalker's Avatar

Night_Stalker

Member
0 0

SaMTHG wrote: Basiaclly I was wondering if anyone knows how to properly bypass this. I know that if I encode the html tag (<script>) into: Decimal NCRs:*script Hexadecimal NCRs:<script> And probebly more like UTF-7/8 or something but when I try stuff like(Decimal NCRs - "><script>alert(1)</script>): "scriptalert(1)/script On the site it allows it to be added but the alert isn't there (it wil say something like: No results found for "><script>alert(1)</script>) So if anyone could help me out that would be great. Thanks SaMTHG:)

Only incompetent fools put smilies inside their scripts, and end their posts with their name even though it is included in their sig…

EDIT: Wait, I was thinking you were yous3lf, I was going to come to congradulate you on another worthless post, but then realized you aren't him… But the smiles do make it look like a foolish, incompetent homosexual posted it…


ghost's Avatar

ghost

0 0

Night_Stalker wrote: Only incompetent fools put smilies inside their scripts, and end their posts with their name even though it is included in their sig…

EDIT: Wait, I was thinking you were yous3lf, I was going to come to congradulate you on another worthless post, but then realized you aren't him… But the smiles do make it look like a foolish, incompetent homosexual posted it…

Okay, okay, a simple "disable your smilies when you post code" would've sufficed. It's not like you have any grounds to judge anyone else here, anyways.