Login

***Narf*** · 02-14-2018, 11:28 AM

(02-12-2018, 07:21 AM)Elias Wrote:
(02-12-2018, 06:24 AM)Narf Wrote: Not a bug.

Why? Tags like <b> or <a> not replaces... What's a normal input string for xss_clean() ?

Thanks for answers

Anything that has an 'src' attribute can link external resources and trigger their execution, and thus - XSS.

Bold doesn't have the 'src' attribute and cannot do anything potentially dangerous.
Anchor doesn't have the 'src' attribute, but can be altered or replaced in certain cases.

I don't know what you mean by a "normal input string" ... there's no such thing. The function is made to strip or defuse potentially dangerous tags and attributes, and that's what it does.

Elias · 02-15-2018, 08:01 AM

(02-14-2018, 11:28 AM)Narf Wrote: Anything that has an 'src' attribute can link external resources and trigger their execution, and thus - XSS.

Ok, string

Code:
<video src="https://www.w3schools.com/html/mov_bbb.mp4"></video>

has src and xss_clean() replaces HTML characters.

Is this the right behavior?

P.S: I'm not saying how you should make the framework, I just try to understand what I'm doing wrong.

***Narf*** · 02-22-2018, 01:31 AM

(02-15-2018, 08:01 AM)Elias Wrote:
Code:
<video src="https://www.w3schools.com/html/mov_bbb.mp4"></video>
has src and xss_clean() replaces HTML characters.

Is this the right behavior?

Yes, that's what this means:

(02-14-2018, 11:28 AM)Narf Wrote: Anything that has an 'src' attribute can link external resources and trigger their execution, and thus - XSS.