Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix Typecho_Common::removeXSS #727

Open
wants to merge 1 commit into
base: master
from

Conversation

Projects
None yet
1 participant
@mierhuo
Copy link
Contributor

commented Mar 8, 2018

  • 未达到预期过滤效果
    (主要原因是第一步的编码替换操作未考虑嵌套的情形,见后面的对比)
  • 原缩进为三个空格修正了下(所以大片diff)
  • $val_before改为驼峰风格(Typecho PHP 编码规范
  • 暂未发现会导致可利用的XSS安全问题

这段代码单独拧出来测试的,测试数据(get_payload.py)如下:

echo removeXSS("&#&#514&#&#512&#&#4911&#&#4910&#&#4908&#&#4911&#&#577&#&#4900&#&#541&#&#4906&#&#577&#&#4918&#&#577&#&#4915&#&#579&#&#4914&#&#4905&#&#4912&#&#4916&#&#538&#&#577&#&#4908&#&#4901&#&#4914&#&#4916&#&#520&#&#514&#&#568&#&#563&#&#563&#&#514&#&#521");

修改前结果:

"&#32&#111&#110&#108&#111&#97&#100=&#106&#97&#118&#97&#115&#99&#114&#105&#112&#116:&#97&#108&#101&#114&#116("&#88&#83&#83")&#11#11

即:" onload=javascript:alert("XSS")

修改后结果:

&#&#514&#&#512&#&#4911&#&#4910&#&#4908&#&#4911&#&#577&#&#4900&#&#541&#&#4906&#&#577&#&#4918&#&#577&#&#4915&#&#579&#&#4914&#&#4905&#&#4912&#&#4916&#&#538&#&#577&#&#4908&#&#4901&#&#4914&#&#4916&#&#520&#&#514&#&#568&#&#563&#&#563&#&#514&#&#521#521

即:&#Ȃ&#Ȁ&#ጯ&#ጮ&#ጬ&#ጯ&#Ɂ&#ጤ&#ȝ&#ጪ&#Ɂ&#ጶ&#Ɂ&#ጳ&#Ƀ&#ጲ&#ጩ&#ጰ&#ጴ&#Ț&#Ɂ&#ጬ&#ጥ&#ጲ&#ጴ&#Ȉ&#Ȃ&#ȸ&#ȳ&#ȳ&#Ȃ&#ȉ

可见,修改后达到了预期效果。

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.