The problem is that javascript is a tricky thing, and can still function even when it is completely garbled.
For instance: Javascript:alert('XSS'); , will still make a popup window.
I haven't found a way to exploit this yet, but that doesn't mean it is impossible. Now or in the future.
I suggest adding a small function to the bbcode/output class that does the following:
Code: Select all
function xss_stop($str)
{
$pattern = "/:/";
$replacement = "<b></b>:";
$string = preg_replace($pattern,$replacement,$str);
return $string;
}
Code: Select all
javascript:alert('xss');
to
javascript<b></b>:alert('xss');