### 简要描述: 论坛bbs发帖那里。 版本:phpok4.2.100 ### 详细说明: init.php ``` function safe_html($info) { if(!$info) { return false; } $tmp = "/<([a-zA-Z0-9]+)(.*)(on[abort|beforeonload|blur|change|click|contextmenu|dblclick|drag|dragend|dragenter|dragleave|dragstart|drop|error|focus|keydown|keypress|keyup|load|message|mousedown|mousemove|mouseover|mouseout|mouseup|mousewheel|reset|resize|scroll|select|submit|unload]+)=(.+)>/isU"; $info = preg_replace($tmp,"<\\1\\2\\4>",$info); //$info = preg_replace("/<([a-zA-Z0-9]+)(.*)([onabort|onbeforeonload|onblur|onchange|onclick|oncontextmenu|ondblclick|ondrag|ondragend|ondragenter|ondragleave|ondragover|ondragstart|ondrop|onerror|onfocus|onkeydown|onkeypress|onkeyup|onload|onmessage|onmousedown|onmousemove|onmouseover|onmouseout|onmouseup|onmousewheel|onreset|onresize|onscroll|onselect|onsubmit|onunload]+)\s*=\s*(.+)>/isU","<\\1\\3>",$info); $tmp =...
### 简要描述: 论坛bbs发帖那里。 版本:phpok4.2.100 ### 详细说明: init.php ``` function safe_html($info) { if(!$info) { return false; } $tmp = "/<([a-zA-Z0-9]+)(.*)(on[abort|beforeonload|blur|change|click|contextmenu|dblclick|drag|dragend|dragenter|dragleave|dragstart|drop|error|focus|keydown|keypress|keyup|load|message|mousedown|mousemove|mouseover|mouseout|mouseup|mousewheel|reset|resize|scroll|select|submit|unload]+)=(.+)>/isU"; $info = preg_replace($tmp,"<\\1\\2\\4>",$info); //$info = preg_replace("/<([a-zA-Z0-9]+)(.*)([onabort|onbeforeonload|onblur|onchange|onclick|oncontextmenu|ondblclick|ondrag|ondragend|ondragenter|ondragleave|ondragover|ondragstart|ondrop|onerror|onfocus|onkeydown|onkeypress|onkeyup|onload|onmessage|onmousedown|onmousemove|onmouseover|onmouseout|onmouseup|onmousewheel|onreset|onresize|onscroll|onselect|onsubmit|onunload]+)\s*=\s*(.+)>/isU","<\\1\\3>",$info); $tmp = array("/<script(.*)<\/script>/isU","/<frame(.*)>/isU","/<\/fram(.*)>/isU","/<iframe(.*)>/isU","/<\/ifram(.*)>/isU","/<style(.*)<\/style>/isU","/<link(.*)>/isU","/<\/link>/isU"); $info = preg_replace($tmp,'',$info); $array = array("src='".$this->url,'src="'.$this->url,"src=".$this->url); $new = array("src='",'src="',"src="); $info = str_replace($array,$new,$info); return $info; } ``` 虽然过滤了所有的Events 但是没考虑<img>标签的src 属性支持javascript指令 过程验证: [<img src="https://images.seebug.org/upload/201501/141537251a9b4d548467df5697937957349d288a.png" alt="QQ截图20150114153659.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/141537251a9b4d548467df5697937957349d288a.png) [<img src="https://images.seebug.org/upload/201501/14153803257b92a375e45630bcf42067eeb6884d.png" alt="QQ截图20150114153746.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/14153803257b92a375e45630bcf42067eeb6884d.png) 发表以后 [<img src="https://images.seebug.org/upload/201501/141538581d67695782692a4e945cb10c495b0f53.png" alt="QQ截图20150114153847.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/141538581d67695782692a4e945cb10c495b0f53.png) ### 漏洞证明: [<img src="https://images.seebug.org/upload/201501/141538581d67695782692a4e945cb10c495b0f53.png" alt="QQ截图20150114153847.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/141538581d67695782692a4e945cb10c495b0f53.png)
