twin/jul
1
0
Fork 0
mirror of https://github.com/Xkeeper0/jul.git synced 2025-07-26 09:42:01 -07:00
Code Issues Packages Projects Releases Wiki Activity

Update filtering methods to remove more XSS crap

Browse Source
This commit is contained in:
Xkeeper
2018-01-24 21:33:07 -08:00
parent c028c21269
commit f7ea4c15f4
1 changed files with 40 additions and 47 deletions
Download Patch File Download Diff File Expand all files Collapse all files

87
lib/function.php
View File

@@ -537,7 +537,6 @@ function doreplace2($msg, $options='0|0'){
$msg=preg_replace("'\[url\](.*?)\[/url\]'si", '<a href=\\1>\\1</a>', $msg); $msg=preg_replace("'\[url\](.*?)\[/url\]'si", '<a href=\\1>\\1</a>', $msg);
$msg=preg_replace("'\[url=(.*?)\](.*?)\[/url\]'si", '<a href=\\1>\\2</a>', $msg); $msg=preg_replace("'\[url=(.*?)\](.*?)\[/url\]'si", '<a href=\\1>\\2</a>', $msg);
$msg=str_replace('http://nightkev.110mb.com/justus_layout.css','about:blank',$msg); $msg=str_replace('http://nightkev.110mb.com/justus_layout.css','about:blank',$msg);
$msg=preg_replace("'\[youtube\]([a-zA-Z0-9_-]{11})\[/youtube\]'si", '<iframe src="https://www.youtube.com/embed/\1" width="560" height="315" frameborder="0" allowfullscreen="allowfullscreen"></iframe>', $msg);
do { do {
@@ -1195,35 +1194,7 @@ function include_js($fn, $as_tag = false) {
function dofilters($p){ function dofilters($p){
global $hacks; global $hacks;
$temp = $p; $temp = $p;
if (filter_bool($_GET['t']) && false) {
$p=preg_replace("'<script(.*?)</script>'si",'',$p);
$p=preg_replace("'<script'si",'',$p);
$p=preg_replace("'\b\s(on[^=]*?=.*)\b'si",'',$p);
} else {
$p=preg_replace("'onload'si",'onl<z>oad',$p);
$p=preg_replace("'onerror'si",'oner<z>ror',$p);
$p=preg_replace("'onunload'si",'onun<z>load',$p);
$p=preg_replace("'onchange'si",'onch<z>ange',$p);
$p=preg_replace("'onsubmit'si",'onsu<z>bmit',$p);
$p=preg_replace("'onreset'si",'onr<z>eset',$p);
$p=preg_replace("'onselect'si",'ons<z>elect',$p);
$p=preg_replace("'onblur'si",'onb<z>lur',$p);
$p=preg_replace("'onfocus'si",'onfo<z>cus',$p);
$p=preg_replace("'onclick'si",'oncl<z>ick',$p);
$p=preg_replace("'ondblclick'si",'ondbl<z>click',$p);
$p=preg_replace("'onmousedown'si",'onm<z>ousedown',$p);
$p=preg_replace("'onmousemove'si",'onmou<z>semove',$p);
$p=preg_replace("'onmouseout'si",'onmou<z>seout',$p);
$p=preg_replace("'onmouseover'si",'onmo<z>useover',$p);
$p=preg_replace("'onmouseup'si",'onmou<z>seup',$p);
}
//$p=preg_replace("'<object(.*?)</object>'si","",$p);
//$p=preg_replace("'autoplay'si",'',$p); // kills autoplay, need to think of a solution for embeds.
// Absolute allowed now alongside position:relative div
//$p=preg_replace("'position\s*:\s*(absolute|fixed)'si", "display:none", $p);
$p=preg_replace("'position\s*:\s*fixed'si", "display:none", $p); $p=preg_replace("'position\s*:\s*fixed'si", "display:none", $p);
@@ -1244,52 +1215,74 @@ function dofilters($p){
$p=preg_replace("':trolldra:'si", '<img src="/images/trolldra.png">', $p); $p=preg_replace("':trolldra:'si", '<img src="/images/trolldra.png">', $p);
$p=preg_replace("':reggie:'si",'<img src=http://xkeeper.net/img/reggieshrug.jpg title="REGGIE!">',$p); $p=preg_replace("':reggie:'si",'<img src=http://xkeeper.net/img/reggieshrug.jpg title="REGGIE!">',$p);
// $p=preg_replace("'drama'si", 'batter blaster', $p);
// $p=preg_replace("'TheKinoko'si", 'MY NAME MEANS MUSHROOM... IN <i>JAPANESE!</i> HOLY SHIT GUYS THIS IS <i>INCREDIBLE</i>!!!!!!!!!', $p);
// $p=preg_replace("'hopy'si",'I am a dumb',$p);
$p=preg_replace("'crashdance'si",'CrashDunce',$p);
$p=preg_replace("'get blue spheres'si",'HI EVERYBODY I\'M A RETARD PLEASE BAN ME',$p);
$p=preg_replace("'zeon'si",'shit',$p); $p=preg_replace("'zeon'si",'shit',$p);
$p=preg_replace("'faith in humanity'si",'IQ',$p);
// $p=preg_replace("'motorcycles'si",'<img src="images/cardgames.png" align="absmiddle" title="DERP DERP DERP">',$p);
// $p=preg_replace("'card games'si",'<img src="images/motorcycles.png" align="absmiddle" title="GET BLUE SPHERES">',$p);
// $p=preg_replace("'touhou'si", "Baby's First Bullet Hell&trade;", $p);
// $p=preg_replace("'nintendo'si",'grandma',$p);
// $p=preg_replace("'card games on motorcycles'si",'bard dames on rotorcycles',$p);
$p=str_replace("ftp://teconmoon.no-ip.org", 'about:blank', $p);
if (filter_bool($hacks['comments'])) { if (filter_bool($hacks['comments'])) {
$p=str_replace("<!--", '<font color=#80ff80>&lt;!--', $p); $p=str_replace("<!--", '<font color=#80ff80>&lt;!--', $p);
$p=str_replace("-->", '--&gt;</font>', $p); $p=str_replace("-->", '--&gt;</font>', $p);
} }
$p=preg_replace("'(https?://.*?photobucket.com/)'si",'images/photobucket.png#\\1',$p); $p=preg_replace("'(https?://.*?photobucket.com/)'si",'images/photobucket.png#\\1',$p);
// $p=str_replace("http://imageshack.us", "imageshit", $p);
$p=preg_replace("'http://.{0,3}\.?tinypic\.com'si",'tinyshit',$p); $p=preg_replace("'http://.{0,3}\.?tinypic\.com'si",'tinyshit',$p);
$p=str_replace('<link href="http://pieguy1372.freeweb7.com/misc/piehills.css" rel="stylesheet">',"",$p); $p=str_replace('<link href="http://pieguy1372.freeweb7.com/misc/piehills.css" rel="stylesheet">',"",$p);
$p=str_replace("tabindex=\"0\" ","title=\"the owner of this button is a fucking dumbass\" ",$p); $p=str_replace("tabindex=\"0\" ","title=\"the owner of this button is a fucking dumbass\" ",$p);
$p=str_replace("%WIKISTATSFRAME%","<div id=\"widgetIframe\"><iframe width=\"600\" height=\"260\" src=\"http://stats.rustedlogic.net/index.php?module=Widgetize&action=iframe&moduleToWidgetize=VisitsSummary&actionToWidgetize=getSparklines&idSite=2&period=day&date=today&disableLink=1\" scrolling=\"no\" frameborder=\"0\" marginheight=\"0\" marginwidth=\"0\"></iframe></div>",$p);
$p=str_replace("%WIKISTATSFRAME2%", '<div id="widgetIframe"><iframe width="100%" height="600" src="http://stats.rustedlogic.net/index.php?module=Widgetize&action=iframe&moduleToWidgetize=Referers&actionToWidgetize=getWebsites&idSite=2&period=day&date=2010-10-12&disableLink=1" scrolling="no" frameborder="0" marginheight="0" marginwidth="0"></iframe></div>', $p);
// $p=str_replace("http://xkeeper.shacknet.nu:5/", 'http://xchan.shacknet.nu:5/', $p); // $p=str_replace("http://xkeeper.shacknet.nu:5/", 'http://xchan.shacknet.nu:5/', $p);
// $p=preg_replace("'<style'si",'&lt;style',$p); // $p=preg_replace("'<style'si",'&lt;style',$p);
//$p=preg_replace("'%BZZZ%'si",'onclick="bzzz(',$p); //$p=preg_replace("'%BZZZ%'si",'onclick="bzzz(',$p);
/*
$p=preg_replace("'document.cookie'si",'document.co<z>okie',$p); $p=preg_replace("'document.cookie'si",'document.co<z>okie',$p);
$p=preg_replace("'eval'si",'eva<z>l',$p); $p=preg_replace("'eval'si",'eva<z>l',$p);
// $p=preg_replace("'document.'si",'docufail.',$p);
$p=preg_replace("'<script'si",'<<z>script',$p); $p=preg_replace("'<script'si",'<<z>script',$p);
$p=preg_replace("'</script'si",'<<z>/script',$p); $p=preg_replace("'</script'si",'<<z>/script',$p);
$p=preg_replace("'javascript:'si",'javasc<z>ript:',$p); $p=preg_replace("'javascript:'si",'javasc<z>ript:',$p);
$p=preg_replace("'<iframe(?! src=\"https://www.youtube.com/embed/)'si",'<<z>iframe',$p); $p=preg_replace("'<iframe(?! src=\"https://www.youtube.com/embed/)'si",'<<z>iframe',$p);
$p=preg_replace("'<meta'si",'<<z>meta',$p); $p=preg_replace("'<meta'si",'<<z>meta',$p);
*/
$p = xss_clean($p);
$p =preg_replace("'\[youtube\]([a-zA-Z0-9_-]{11})\[/youtube\]'si", '<iframe src="https://www.youtube.com/embed/\1" width="560" height="315" frameborder="0" allowfullscreen="allowfullscreen"></iframe>', $p);
return $p; return $p;
} }
// https://stackoverflow.com/questions/1336776/xss-filtering-function-in-php
function xss_clean($data) {
// Fix &entity\n;
$data = str_replace(array('&amp;','&lt;','&gt;'), array('&amp;amp;','&amp;lt;','&amp;gt;'), $data);
$data = preg_replace('/(&#*\w+)[\x00-\x20]+;/u', '$1;', $data);
$data = preg_replace('/(&#x*[0-9A-F]+);*/iu', '$1;', $data);
$data = html_entity_decode($data, ENT_COMPAT, 'UTF-8');
// Remove any attribute starting with "on" or xmlns
#$data = preg_replace('#(<[^>]+?[\x00-\x20"\'])(?:on|xmlns)[^>]*+>#iu', '$1>', $data);
do {
$old_data = $data;
$data = preg_replace('#(<[^>]+?[\x00-\x20"\'])(on|xmlns)([^>]*+)>#iu', '$1DISABLED_$2$3>', $data);
} while ($old_data !== $data);
// Remove javascript: and vbscript: protocols
$data = preg_replace('#([a-z]*)[\x00-\x20]*=[\x00-\x20]*([`\'"]*)[\x00-\x20]*j[\x00-\x20]*a[\x00-\x20]*v[\x00-\x20]*a[\x00-\x20]*s[\x00-\x20]*c[\x00-\x20]*r[\x00-\x20]*i[\x00-\x20]*p[\x00-\x20]*t[\x00-\x20]*:#iu', '$1=$2nojavascript...', $data);
$data = preg_replace('#([a-z]*)[\x00-\x20]*=([\'"]*)[\x00-\x20]*v[\x00-\x20]*b[\x00-\x20]*s[\x00-\x20]*c[\x00-\x20]*r[\x00-\x20]*i[\x00-\x20]*p[\x00-\x20]*t[\x00-\x20]*:#iu', '$1=$2novbscript...', $data);
$data = preg_replace('#([a-z]*)[\x00-\x20]*=([\'"]*)[\x00-\x20]*-moz-binding[\x00-\x20]*:#u', '$1=$2nomozbinding...', $data);
// Remove namespaced elements (we do not need them)
$data = preg_replace('#</*\w+:\w[^>]*+>#i', '', $data);
do {
// Remove really unwanted tags
$old_data = $data;
$data = preg_replace('#<(/*(?:applet|b(?:ase|gsound)|embed|frame(?:set)?|i(?:frame|layer)|link|meta|object|script|title|xml)[^>]*+)>#i', '&lt;$1&gt;', $data);
} while ($old_data !== $data);
return $data;
}
require 'lib/threadpost.php'; require 'lib/threadpost.php';
// require 'lib/replytoolbar.php'; // require 'lib/replytoolbar.php';