开发者

HTMLPurifier Not working?

开发者 https://www.devze.com 2023-03-04 14:16 出处:网络
I\'m putting HTMLPurifier through some tests to make sure that everything works as expected. I\'m using examples from http://ha.ckers.org/xss.html.I think everything I coded is \'correct\' but I am ab

I'm putting HTMLPurifier through some tests to make sure that everything works as expected. I'm using examples from http://ha.ckers.org/xss.html. I think everything I coded is 'correct' but I am able to pass one of the xxs examples right through. Can anybody assist me?

Here is the page common1.php it declares a function and processes the data:

$config = HTMLPurifier_Config::createDefault();

// configuration goes here:
$config->set('Core.En开发者_StackOverflowcoding', 'UTF-8'); // replace with your encoding
$config->set('HTML.Doctype', 'XHTML 1.0 Strict'); // replace with your doctype

function purify($data){
    $purifier = new HTMLPurifier($config);
    // untrusted input HTML
    $pure_html = htmlspecialchars($purifier->purify($data));

    return $data;
 }
?>

And here is my debug script that attempts (and succeeds 0_o) in passing xxs:

<?php
    include('common1.php');

    $t = "<IMG \"\"\"><SCRIPT>alert(\"XSS\")</SCRIPT>\">";
    echo purify($t);
?>


You're returning the unpurified markup. Change your return statement:

 function purify($data){
    $purifier = new HTMLPurifier($config);
    // untrusted input HTML
    $pure_html = htmlspecialchars($purifier->purify($data));

    return $pure_html;
 }
0

精彩评论

暂无评论...
验证码 换一张
取 消