xss filter avoidance #517
Labels
Comments
|
Some workarounds are to disable mod_sec for some stuff. Which is risky, we do use a nonce so that helps a little. if your host allows it via .htaccess You can also disable specific mod_sec rules if you can identify them, or specify specific pages and forms. |
|
Did a quick and dirty test encoder that can be done with a plugin via hooks. // common hook
if (get_filename_id() == 'components' && isset($_POST['submitted'])){
if(isset($_POST['encoded'])){
foreach($_POST['val'] as $key=>&$val){
$val = base64_decode($val);
// print_r("DECODING DATA for $key \n");
// print_r($val);
}
unset($val);
}
// echo "<pre>";
// var_dump($_POST);
// echo "</pre>";
// die();
} // use php or js to target which pages, depending on which hooks and where you output
// <?php if (get_filename_id() == 'components'){ /?>
<script>
$( document ).ready(function(){
$("#components form.manyinputs").submit(function(e){
e.preventDefault();
var form = this;
$(form).find($("textarea[name='val[]']")).each(function(e){
$newval = btoa($(this).val());
// console.log($newval);
$(this).val($newval);
});
$("form.manyinputs").append($("<input name=encoded value=true>"));
form.submit(); // submit bypassing the jQuery bound event
});
});
</script>
// <?php } ?> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
When using the code editors I typically experience xss filters that prevent me from submitting. These are either browser reflected xss filters or apache mod_sec.
Avoiding these can be done via ajax submission, but even better would be to encode our form data when submitting to the server.
The text was updated successfully, but these errors were encountered: