Subscribe to Grim's Projects        RSS Feed
-----

Security Learnings

Icon 1 Comments
Well I've updated GrimBB with some extra code to prevent it from getting XSSed which means cross site scripting. Since I didn't want to take the traditional approach and use the square brackets code to allow people to enter url links and images and the like (as it's done here in Dreamincode and practically everywhere else) I had to find a way to prevent javascript functions from being inserted into html tags. I did this in the following manner:

Within every pair of < > I check for two strings, a parentheses '(' and a hex html starter '&#'. If either of these two are found it can be assumed that the person making the post is attempting to slip in javascript methods/functions. Therefore, the post is not allowed. Furthermore, I also check for all the known event triggers such as onmousedown, onmouseup, etc.

The guy that I mentioned before that hacked me, one Mr. B9 is now actually helping me to develop my security in GrimBB, and has helped me to find these scripting flaws. So lemme give a special shout out to the GrimBB hackers. He also coded a shoutbox script which has been recently posted up there. I'll keep working with him and others and hopefully anyone reading this attempting to find other exploits to make GrimBB even better. Thx for the help.

ASIDE: A search feature has now been added to every page on GrimBB.

1 Comments On This Entry

Page 1 of 1

BlackNine 

25 November 2006 - 10:49 PM
Yay! I helped :D
0
Page 1 of 1