Related Topics


[Video CMS v4]Html tags in comments  (Read 1186 times) Print

1 B


fourdeltaOne  June 13, 2014, 11:43:52 PM

hello!

I do not know how, but today some who tried to find a hole or hack site

 strange started writing codes, scripts in the comments.

in the comments left here are the codes.

Code
1 code ####################################

<html><body><h1>TEST</h1></body></html>


2 code ####################################

<?php echo "test";?>

3 code  ####################################

<?php     for($i = 0; $i <10; $i++) {echo $i;}?>

4 code  ####################################


<!--?php
for($i = 0; $i <10; $i++) {
echo $i;
}?-->


5 code  ####################################


<!--?php echo DB; ?-->
<?php echo DB; ?>


6 code  ####################################


<script>
function count_rabbits() {
    for(var i=1; i<=3; i++) {

        alert("Кролик номер "+i)
    }

}
count_rabbits();


</script>

7 code  ####################################



<input  type="file" />



I want to ask may prohibit write html, php, java code?

Logged
Skype: epic.mediauz


Alexander  June 14, 2014, 01:34:52 PM

You think you got hacked cause that comment had code in it?
I have hundreds of those per month :)
If the code just parses and not executes, then the toDb() function does a nice job :)

Logged

fourdeltaOne  June 14, 2014, 02:32:32 PM

Alex. all may be)

possible to disable html in comments?

Logged
Skype: epic.mediauz


Alexander  June 14, 2014, 03:24:54 PM

Simplest way

/lib/ajax/addComment.php

Replace
Code
$com_body = toDb($_REQUEST['comment']);

with

Code
$com_body = toDb(strip_tags($_REQUEST['comment']));

Logged

fourdeltaOne  June 14, 2014, 05:52:00 PM

nothing has changed. are the same.

Logged
Skype: epic.mediauz


Alexander  June 14, 2014, 08:27:00 PM

New ones? Cause old ones won't change.

Logged

fourdeltaOne  June 15, 2014, 10:49:28 AM

yes, same.

Logged
Skype: epic.mediauz


Alexander  June 15, 2014, 02:11:06 PM

I'll look into it and get back to you.

Logged