Best of Joomla! - Re:_link_ and _layer_

Welcome, Guest
Please Login or Register. Lost Password?

Community

FireBoard Forum

Latest Release

Solved IssuesThreads

SOLVED! (Adding underscores)_link_ and _layer_ (1 viewing) (1) Guest

Favoured: 23

Page:
<< Start < Prev 1 2 3 4 5 6 Next > End >>

TOPIC: SOLVED! (Adding underscores)_link_ and _layer_

Forum Tools

#28015

Re:_link_ and _layer_ 10 Months, 2 Weeks ago
1000 thanks, to all, for this topic!!

zottaro (User)

Junior Boarder

Posts: 23

Logged

The administrator has disabled public write access.

#28017

Re:_link_ and _layer_ 10 Months, 2 Weeks ago
Is there any chance someone could attach a file with the changes...I'm slightly confused as there seems to be multiple workaroundS (plural) so I've kinda been sitting here waiting for the dust to clear and an agreed fix to show up.....but if there's just one example file, that would be great. Cheers, Phil

Philip Roy (User)

Senior Boarder

Posts: 40

Logged

NZMac.com - Supporting the New Zealand Mac Community
www.nzmac.com

The administrator has disabled public write access.

#28025

Re:_link_ and _layer_ 10 Months, 2 Weeks ago

The suggested fixes are all the same - just slight variations of your choosing to suit your desired balance of appearance versus security.

The fix ranges from the deletion of entire line of code (line 651 in the 1.0.3 stable version) or selected words.

I deleted the words 'script' and 'link'.

The line (unaltered) looks like this:

Code:

$ra1 = Array('javascript', 'vbscript', 'expression', 'applet', 'meta', 'xml', 'blink', 'link', 'style', 'script', 'embed', 'object', 'iframe', 'frame', 'frameset', 'ilayer', 'layer', 'bgsound', 'title', 'base');

(and I should probably now remove my signature

)

bpresent (User)

Junior Boarder

Posts: 25

Logged

Last Edit: 2007/10/17 15:22 By bpresent.

Mini LPs Forum - minilps.net

The administrator has disabled public write access.

#29121

Re:_link_ and _layer_ 10 Months, 1 Week ago
I'm wondering why don't escape the output text with htmlentities()? Doesn't that avoid XSS at 100%? I think it is safer than the current solution on fireboard. I did it on my forum and it works great! And also it fixes other issue when a post wrings ampersand+lang like this "&lang=es"?

guilleva (User)

Fresh Boarder

Posts: 12

Logged

Guille
Xmap - The sitemap generator for Joomla!

The administrator has disabled public write access.

#29139

Re:_link_ and _layer_ 10 Months, 1 Week ago
Can you be more specific please - what code did you use?

bpresent (User)

Junior Boarder

Posts: 25

Logged

Mini LPs Forum - minilps.net

The administrator has disabled public write access.

#29141

Re:_link_ and _layer_ 10 Months, 1 Week ago

On file components/com_fireboard/template/default/smile.class.php

Replace:

Code:

$fb_message_txt = FBTools::fbRemoveXSS($fb_message_txt);

With:

Code:

$fb_message_txt = htmlentities($fb_message_txt);

And delete the line:

Code:

$after_replace = FBTools::fbRemoveXSS($after_replace, 1);

But my question is, why fireboard doesn't use htmlentities or strip_tags or htmlspecialchars to avoid this? Is there any reason why this should not be done?

guilleva (User)

Fresh Boarder

Posts: 12

Logged

Last Edit: 2007/10/27 05:21 By guilleva.

Guille
Xmap - The sitemap generator for Joomla!

The administrator has disabled public write access.

#30474

Re:_link_ and _layer_ 9 Months, 3 Weeks ago
thank god.

helo (User)

Junior Boarder

Posts: 24

Logged

Last Edit: 2007/11/07 23:01 By helo.

The administrator has disabled public write access.

#31310

Re:_link_ and _layer_ 9 Months, 2 Weeks ago

guilleva wrote:
On file components/com_fireboard/template/default/smile.class.php

Replace:

Code:

$fb_message_txt = FBTools::fbRemoveXSS($fb_message_txt);

With:

Code:

$fb_message_txt = htmlentities($fb_message_txt);

And delete the line:

Code:

$after_replace = FBTools::fbRemoveXSS($after_replace, 1);

But my question is, why fireboard doesn't use htmlentities or strip_tags or htmlspecialchars to avoid this? Is there any reason why this should not be done?

I've just done this change on my forum as I assume its safer than the other workaround? anyway, it seems to work fine for me, *but* it seems to do something to forum signatures. Instead of my signature displaying the "£" symbol it has changed to the html code instead "&pound".

Does anyone know how I can correct this?

Thanks

whiskymac (User)

Fresh Boarder

Posts: 7

Logged

www.breathemini.co.uk

The administrator has disabled public write access.

#31312

Re:_link_ and _layer_ 9 Months, 2 Weeks ago

guilleva wrote:
On file components/com_fireboard/template/default/smile.class.php

Replace:

Code:

$fb_message_txt = FBTools::fbRemoveXSS($fb_message_txt);

With:

Code:

$fb_message_txt = htmlentities($fb_message_txt);

And delete the line:

Code:

$after_replace = FBTools::fbRemoveXSS($after_replace, 1);

But my question is, why fireboard doesn't use htmlentities or strip_tags or htmlspecialchars to avoid this? Is there any reason why this should not be done?

Are you really sure that htmlentites is never applied before to the message text ???? Isn't it the basics of XSS security ????

florut (User)

FB Translation Team

Gold Boarder