Snitz Forums 2000
Snitz Forums 2000
Home | Profile | Register | Active Topics | Members | Search | FAQ
Username:
Password:
Save Password
Forgot your Password?

 All Forums
 Snitz Forums 2000 DEV-Group
 DEV Bug Reports (Open)
 V3.3(.03) BUG+FIX: inc_functions.asp
 New Topic  Topic Locked
 Printer Friendly
Previous Page
Author Previous Topic Topic Next Topic
Page: of 2

davevg
Starting Member

12 Posts

Posted - 10 May 2002 :  13:01:10  Show Profile  Send davevg an AOL message
I'm not sure whether this is an workaround which needs to be fixed but you can still run JavaScript on client machines by doing something similar to below in a post with html turned on.

<SCRIPT LANGUAGE="JavaScript" src="www.somedomain.com/somescript.js"></script>


Unless I missed a patch somewhere besides the 4 posts in the Security Bug Fixes forum that I didn't apply.

Go to Top of Page

RichardKinser
Snitz Forums Admin

USA
16655 Posts

Posted - 10 May 2002 :  13:41:24  Show Profile
The only way to prevent that is to turn HTML OFF.
Go to Top of Page

lelo
Starting Member

7 Posts

Posted - 21 May 2002 :  06:39:01  Show Profile  Send lelo an ICQ Message
quote:
in your inc_functions.asp, in the ReplaceImageTags function find this section of code:

strUrlText = replace(strUrlText, """", "") ' ## filter out " '## Added to exclude Javascript and other potentially hazardous characters strUrlText = replace(strUrlText, "&", "", 1, -1, 1) ' ## filter out & strUrlText = replace(strUrlText, "#", "", 1, -1, 1) ' ## filter out # strUrlText = replace(strUrlText, ";", "", 1, -1, 1) ' ## filter out ; strUrlText = replace(strUrlText, "+", "", 1, -1, 1) ' ## filter out + strUrlText = replace(strUrlText, "(", "", 1, -1, 1) ' ## filter out ( strUrlText = replace(strUrlText, ")", "", 1, -1, 1) ' ## filter out ) strUrlText = replace(strUrlText, "[", "", 1, -1, 1) ' ## filter out [ strUrlText = replace(strUrlText, "]", "", 1, -1, 1) ' ## filter out ] strUrlText = replace(strUrlText, "=", "", 1, -1, 1) ' ## filter out = strUrlText = replace(strUrlText, "*", "", 1, -1, 1) ' ## filter out * strUrlText = replace(strUrlText, "'", "", 1, -1, 1) ' ## filter out ' strUrlText = replace(strUrlText, "javascript", "", 1, -1, 1) ' ## filter out javascript
add the following to that section:


strUrlText = replace(strUrlText, "vbscript", "", 1, -1, 1) ' ## filter out vbscript strUrlText = replace(strUrlText, "mailto", "", 1, -1, 1) ' ## filter out mailto

in 3.3.02 the first part there isn't,
only:
quote:

strUrlText = replace(strUrlText, """", "") ' ## filter out "
strUrlText = replace(strUrlText, "<", "") ' ## filter out <strUrlText = replace(strUrlText, ">", "") ' ## filter out >
strResultString = strResultString & roTag & strUrlText & rcTag & strArray2(1)


so i'm made like this:
quote:

strUrlText = replace(strUrlText, """", "") ' ## filter out "strUrlText = replace(strUrlText, "<", "") ' ## filter out <strUrlText = replace(strUrlText, ">", "") ' ## filter out >
strUrlText = replace(strUrlText, "&", "", 1, -1, 1) ' ## filter out &
strUrlText = replace(strUrlText, "#", "", 1, -1, 1) ' ## filter out # strUrlText = replace(strUrlText, ";", "", 1, -1, 1) ' ## filter out ;
strUrlText = replace(strUrlText, "+", "", 1, -1, 1) ' ## filter out + trUrlText = replace(strUrlText, "(", "", 1, -1, 1) ' ## filter out (
strUrlText = replace(strUrlText, ")", "", 1, -1, 1) ' ## filter out ) strUrlText = replace(strUrlText, "[", "", 1, -1, 1) ' ## filter out [
strUrlText = replace(strUrlText, "]", "", 1, -1, 1) ' ## filter out ]
strUrlText = replace(strUrlText, "=", "", 1, -1, 1) ' ## filter out =
strUrlText = replace(strUrlText, "*", "", 1, -1, 1) ' ## filter out *
strUrlText = replace(strUrlText, "'", "", 1, -1, 1) ' ## filter out '
strUrlText = replace(strUrlText, "javascript", "", 1, -1, 1) ' ## filter out javascript
strUrlText = replace(strUrlText, "vbscript", "", 1, -1, 1) ' ## filter out vbscript
strUrlText = replace(strUrlText, "mailto", "", 1, -1, 1) ' ## filter out mailto
strResultString = strResultString & roTag & strUrlText & rcTag & strArray2(1)


It's good change??



Edited by - lelo on 21 May 2002 06:42:43
Go to Top of Page

RichardKinser
Snitz Forums Admin

USA
16655 Posts

Posted - 21 May 2002 :  06:46:06  Show Profile
the part that you are missing was added with the bug fix here:

http://forum.snitz.com/forum/topic.asp?TOPIC_ID=23660


This bug fix was in addition to the one above.
Go to Top of Page
Page: of 2 Previous Topic Topic Next Topic  
Previous Page
 New Topic  Topic Locked
 Printer Friendly
Jump To:
Snitz Forums 2000 © 2000-2021 Snitz™ Communications Go To Top Of Page
This page was generated in 0.07 seconds. Powered By: Snitz Forums 2000 Version 3.4.07