in reply to Turn JavaScript off on HomeNodes
Slashdot|MS Security: On A Path As Clear As It Is Reliable pointed me to Expert hacks Hotmail in 1 line of code which in turn pointed me here, which reveals that STYLE tags in netscape will execute the stuff enclosed in style tags as javascript, if the TYPE attribute of the style tag is "application/x-javascript".
Your code: 56: $str=~s/<script[^>]*>.*?<\/script[^>]*>//igs if $$USER{jsoff};
My addition (you're welcome to improve):
Also evil are object, applet and embed tags (i'm sure there are others).#!/usr/bin/perl -w use strict; my $string = q|<STYLE TYPE="application/x-javascript" Language='Englis +h' TYPE="application/x-javascript">|; printf "%s\n", $string; $string =~ s¡<STYLE\s([^>]*)>¡ { my $trt = $1; # $trt =~ s!type=\S+?(\s|"|')!TYPE="text/css"!igs; $trt =~ s!type=\S+?[ '"]!TYPE="text/css"!igs; qq(<STYLE $trt>) }¡eigsx; printf "%s\n", $string;
update: a slightly smarter version
update: OeufMayo says in the cb, what about: <a href="#" onClick="alert('evil javascript here');">#!/usr/bin/perl -w use strict; my $string = q|<STYLE TYPE="application/x-javascript" Language='Englis +h' TYPE="application/x-javascript">|; printf "%s\n", $string; $string =~ s¡<STYLE\s([^>]*>)¡ { my $trt = $1; # $trt =~ s!type=\S+?(\s|"|')!TYPE="text/css"!igs; $trt =~ s!type=\S+?[ '">]!TYPE="text/css"!igs; $trt .= '>' if substr($trt,-1,1) ne '>'; qq(<STYLE $trt) }¡eigsx; printf "%s\n", $string;
Well I thought htmlScreen would take care of it, but you do override the filter
$str.=htmlcode('parselinks','doctext,override'); ... in parselinks ... $text=htmlScreen($text,$APPROVED) unless $overridefilter eq "override" +;
___crazyinsomniac_______________________________________
Disclaimer: Don't blame. It came from inside the void
perl -e "$q=$_;map({chr unpack qq;H*;,$_}split(q;;,q*H*));print;$q/$q;"