Topic: Tutorials Site

[Chat]

i was not aware of this unrestricted includes folder.

anyway, i can't seem to access the raw php still. i tried saving the file but my silly library computer is messing me around. can you paste the php code in this thread?

[obsidian]

anyway, i can't seem to access the raw php still. i tried saving the file but my silly library computer is messing me around.

That's just it. Because it is PHP, you cannot access the raw code through a browser. You would have to have the author share the code with you (like you've asked).

[.Darkman]

I think that you've done a pretty good job overall, but it's hard to say without seeing the result of my submission Wink

I tried to put some different types of things in to see what I could get away with, and I was able to submit some different characters and things that could leave you XSS vulnerable, but I didn't go that far.

Oh ! Thanks for pointing me out.
I thought of cleaning up the text off tags. But then i ignored it because i'll be able to accept or reject tutorials before they show on their site.

For eg, i looked at your submission. I deleted it.

So do you say that i should strip the Description off tags ?


Thanks,

[obsidian]

For eg, i looked at your submission. I deleted it.

So do you say that i should strip the Description off tags ?

It's totally up to you, but here's the thing: if the javascript I entered into the description actually showed a popup when you reviewed my submission, if I were mean, I could have taken that to the next level and used the javascript that would run to send your PHPSESSID to myself. If I have that, I could have then used your cookie to log in as you (hypothetically). While I'm oversimplifying things for the sake of argument here, the threat is very real. Any time you have client script running that you did not right (especially in an admin panel), it can be very dangerous.

[.Darkman]

For eg, i looked at your submission. I deleted it.

So do you say that i should strip the Description off tags ?

It's totally up to you, but here's the thing: if the javascript I entered into the description actually showed a popup when you reviewed my submission, if I were mean, I could have taken that to the next level and used the javascript that would run to send your PHPSESSID to myself. If I have that, I could have then used your cookie to log in as you (hypothetically). While I'm oversimplifying things for the sake of argument here, the threat is very real. Any time you have client script running that you did not right (especially in an admin panel), it can be very dangerous.

Very True.
So, will it be okay if use the following code before submitting information into the database,

Code: [Select]

$description = strip_tags($description);

[obsidian]

Very True.
So, will it be okay if use the following code before submitting information into the database,

Code: [Select]

$description = strip_tags($description);

Yes, however, you may wish to give your submitters some limited HTML to spice up the descriptions. If so, just use the optional second parameter with strip_tags():

Code: [Select]

<?php
$description = strip_tags($description, "b i u strong em");
?>

Good luck!

[.Darkman]

Thanks a lot for your help. Even those HTML would spoil the look. So i'll strip all the tags.


Thanks,