I-MrKnox-I wrote:Okay... I got it!
God, this was lame, but anyways...
I hope it is not to much of a spoiler - if so, feel free to edit!
There are many ways to sanitize PHP_SELF (assuming you all know this is the vuln) as you might know by now. However, most of the ways will sanitize a lot of "innocent" chars too. We do not want this to happen. Luckily there is an alternative which is very alike, but only sanitizes the most "dangerous" chars like '<', '>' and quotes. This is what we are looking for.
BAzly wrote:I believe that I have well and truly learned the lesson being taught here... I am 90% sure that the function I am trying to use to sanitize the vulnerability is correct... but it looks like the answer has to be "exact".
Kontagious wrote:I totally agree with what the above quotation says, and I also want to quote a site posted in one of the other extbasic 7 threads, http://seancoates.com/xss-woes , because it helped me out immensely. I believe I have the correct idea on how to fix the problem, but implementing my fixes is my problem. I currently have selected one (uno ) function that (theoretically) will remove only the most dangerous characters from a selected string, variable, etc. (from [possible spoiler?] http://www.w3schools.com/PHP/php_ref_string.asp).
addik wrote:The post/get mistake just gives a hint of what line has a mistake...
http://blog.phpdoc.info/archives/13-XSS-Woes.html will give you a hint, one thing I will say, make sure you try every variant of x function even if the differences are subtle.
Users browsing this forum: No registered users and 0 guests