FAQ FAQ   Search Search   Memberlist Memberlist   Usergroups Usergroups   Register Register 
PhpBB- & WordPress- antispam.com
Home of the Antispam for all fields mod ! 
  Profile Profile   Log in to check your private messages Log in to check your private messages  Log inLog in 

 PhpBB- & WordPress- antispam.com Forum Index » [PhpBB2] Submit a bug » URL handling
  The time now is Wed May 23, 2018 7:39 pm 

 Post new topic   Reply to topic View previous topic :: View next topic  
Author Message
PostPosted: Mon Oct 29, 2007 1:20 am    Post subject: URL handling  Reply with quote  

Lord Raiden
Experienced user


Joined: 11 Dec 2006
Posts: 123

Which antispam version?

1.2.7 (yeah, yeah. I'll get around to upgrading it.)

Which phpbb version?

2.0.22

Can you describe the bug?

URL's done with HTML come up as live links when viewing a spam report.

What happened before the bug was visible/triggered ?

Viewed a spam report. Wink

Basically what they've started doing is putting HTML based URL's like this into a registration.

<a href="http://somedomain.com/virus_link">click me</a>

It shows up as a regular clickable link in the spam report, and might hide most of the rest of the report in the process. I almost got suckered into infecting my PC and giving admin access to my forum to the loser who sent the link. It was so odd to see it, that I clicked on it, not thinking about what I was doing and almost got owned. And if Firefox hadn't been on top of its game, I'd like be reinstalling windows right now and dealing with a hacked forum.

Something needs to be added that will take actual html encoded objects and clean them up and make them safe. I'm not saying to remove the HTML. I want to see it and the URL's associated with it. But things like < and > and other HTML stuff like " need to be converted into the html equivalences like &quote; for the " mark, and &gt; for > and so on. I've only encountered it once, but that one almost became once too many times.

TOP View user's profileSend private message  BOTTOM
PostPosted: Mon Oct 29, 2007 4:22 pm    Post subject:  Reply with quote  

ramon fincken
Site Admin


Joined: 11 Dec 2006
Posts: 269
Location: A'dam/Diemen, The Netherlands

tested @ 1.2.8

website:
<a href="http://somedomain.com/virus_link">click me</a>

result:
No valid website url.


Thought about this one too Smile


Code:
   // Website tests
   if (!empty ($website) && strlen($website) > 2) {
      if (!website_syntax_ok($website)) {
         return array (
            'error' => true,
            'error_msg' => 'No valid website url.'
         );
      }
   }


Code:
function website_syntax_ok($url) {
   $url = strtolower($url);
   if (empty ($url))
      return false;
   if (!preg_match('#^http[s]?\\:\\/\\/[a-z0-9\-]+\.([a-z0-9\-]+\.)?[a-z]+#i', $url)) {
      return false;
   }
   $pattern = '/\[url/';
   preg_match($pattern, $url, $matches, PREG_OFFSET_CAPTURE);
   if (count($matches) > 0) {
      return false;
   }
   return true;
}

_________________
Phpbbantispam founder, available for freelance WordPress coding.

PhpBB2 mod: http://www.phpbbantispam.com/viewtopic.php?t=1
WordPress plugin: http://wordpress.org/extend/plugins/antispam-for-all-fields/
Project files & mailinglist: https://sourceforge.net/projects/phpbbantispam/

TOP View user's profileSend private messageVisit poster's website  BOTTOM
PostPosted: Mon Oct 29, 2007 8:29 pm    Post subject:  Reply with quote  

Lord Raiden
Experienced user


Joined: 11 Dec 2006
Posts: 123

Yeah, that might do. The HTML doesn't need to be converted to escape codes in the database. Just when viewing it in the admin control panel, in much the same way PHPbb escapes the HTML when viewing it rather than displaying it, but leaving the HTML intact in the database.

TOP View user's profileSend private message  BOTTOM
PostPosted: Mon Oct 29, 2007 8:32 pm    Post subject:  Reply with quote  

ramon fincken
Site Admin


Joined: 11 Dec 2006
Posts: 269
Location: A'dam/Diemen, The Netherlands

Lord Raiden wrote:
Yeah, that might do. The HTML doesn't need to be converted to escape codes in the database. Just when viewing it in the admin control panel, in much the same way PHPbb escapes the HTML when viewing it rather than displaying it, but leaving the HTML intact in the database.


that'll be htmlspecialchars() Smile
_________________
Phpbbantispam founder, available for freelance WordPress coding.

PhpBB2 mod: http://www.phpbbantispam.com/viewtopic.php?t=1
WordPress plugin: http://wordpress.org/extend/plugins/antispam-for-all-fields/
Project files & mailinglist: https://sourceforge.net/projects/phpbbantispam/

TOP View user's profileSend private messageVisit poster's website  BOTTOM
 Post new topic   Reply to topic All times are GMT + 1 Hour

Display posts from previous:   
 PhpBB- & WordPress- antispam.com Forum Index » [PhpBB2] Submit a bug » URL handling
 
 Page 1 of 1
 
 
 
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Jump to:  


     Powered by phpBB © 2001, 2005 phpBB Group | Template Neon | Snelle Managed WordPress webhosting