1000 thanks, to all, for this topic!!

Is there any chance someone could attach a file with the changes...I'm slightly confused as there seems to be multiple workaroundS (plural) so I've kinda been sitting here waiting for the dust to clear and an agreed fix to show up.....but if there's just one example file, that would be great.

Cheers,

Phil

The suggested fixes are all the same - just slight variations of your choosing to suit your desired balance of appearance versus security.

The fix ranges from the deletion of entire line of code (line 651 in the 1.0.3 stable version) or selected words.

I deleted the words 'script' and 'link'.

The line (unaltered) looks like this:
[code:1]$ra1 = Array('javascript', 'vbscript', 'expression', 'applet', 'meta', 'xml', 'blink', 'link', 'style', 'script', 'embed', 'object', 'iframe', 'frame', 'frameset', 'ilayer', 'layer', 'bgsound', 'title', 'base');[/code:1]

(and I should probably now remove my signature ;))

I'm wondering why don't escape the output text with htmlentities()?

Doesn't that avoid XSS at 100%?

I think it is safer than the current solution on fireboard. I did it on my forum and it works great! And also it fixes other issue when a post wrings ampersand+lang like this "&lang=es"?

Can you be more specific please - what code did you use?

On file components/com_fireboard/template/default/smile.class.php

Replace:

[code:1]$fb_message_txt = FBTools::fbRemoveXSS($fb_message_txt);[/code:1]

With:

[code:1]$fb_message_txt = htmlentities($fb_message_txt);[/code:1]

And delete the line:

[code:1]$after_replace = FBTools::fbRemoveXSS($after_replace, 1);[/code:1]

But my question is, why fireboard doesn't use htmlentities or strip_tags or htmlspecialchars to avoid this? Is there any reason why this should not be done?

thank god.

guilleva wrote:
[quote]On file components/com_fireboard/template/default/smile.class.php

Replace:

[code:1]$fb_message_txt = FBTools::fbRemoveXSS($fb_message_txt);[/code:1]

With:

[code:1]$fb_message_txt = htmlentities($fb_message_txt);[/code:1]

And delete the line:

[code:1]$after_replace = FBTools::fbRemoveXSS($after_replace, 1);[/code:1]

But my question is, why fireboard doesn't use htmlentities or strip_tags or htmlspecialchars to avoid this? Is there any reason why this should not be done?[/quote]

[color=#008000]I've just done this change on my forum as I assume its safer than the other workaround? anyway, it seems to work fine for me, *but* it seems to do something to forum signatures. Instead of my signature displaying the "£" symbol it has changed to the html code instead "£".

Does anyone know how I can correct this?

Thanks[/color]

guilleva wrote:
[quote]On file components/com_fireboard/template/default/smile.class.php

Replace:

[code:1]$fb_message_txt = FBTools::fbRemoveXSS($fb_message_txt);[/code:1]

With:

[code:1]$fb_message_txt = htmlentities($fb_message_txt);[/code:1]

And delete the line:

[code:1]$after_replace = FBTools::fbRemoveXSS($after_replace, 1);[/code:1]

But my question is, why fireboard doesn't use htmlentities or strip_tags or htmlspecialchars to avoid this? Is there any reason why this should not be done?[/quote]



Are you really sure that htmlentites is never applied before to the message text ???? Isn't it the basics of XSS security ????

Any chance this topic could be FAQd or somehow stickied as it's quite a common problem.

Thanks