By UwUQueen
22 Jul 2024 20:46
Category: Other

This is the proof of concept: BBCode

[a=#" style="color:red;" onclick="this.parentElement.innerText='Your cookie is:'+document.cookie;]click to show cookie[/a]

Source: BBCode[ a=#" style="color:red;" onclick="this.parentElement.innerText='Your cookie is:'+document.cookie;]click to show cookie[/a]

Resolved: Yes
Other Highest 2 hr

By @HullBreach
23 Sep 2024 01:49

fixed with a URL regex for [a] and for [image]

By @HullBreach
23 Sep 2024 01:44

Javascript

By @HullBreach
23 Sep 2024 01:28

Testing:

https://dsipaint.com
https://dsipaint.com/index.php

By @UwUQueen
23 Sep 2024 01:22

link test

By @UwUQueen
23 Sep 2024 00:42

[image]%6aavascript:alert(123);[/image]

By @UwUQueen
23 Sep 2024 00:40

By @UwUQueen
23 Sep 2024 00:39

By @UwUQueen
23 Sep 2024 00:37

test

By @UwUQueen
23 Sep 2024 00:35

test

By @HullBreach
23 Sep 2024 00:35

More testing...

HB Studios
view.php?id=13002

By @HullBreach
23 Sep 2024 00:32

Testing:

[a="https://3dspaint.com"]3DSPaint.com[/a]
https://dsipaint.com
[a="https://hullbreachonline.com/?class=3"]HullBreach Online Ships[/a]

By @UwUQueen
12 Aug 2024 08:17

Nevermimd, works best with touch and drag which doesn't cause fore scroll up

By @UwUQueen
12 Aug 2024 08:15

Never still forces scroll up

By @UwUQueen
12 Aug 2024 08:13

Improved POCa=#" style="color:red;" ontouchstart="event.preventDefault();this.parentElement.innerText='Your cookie is:'+document . cookie;]click to show cookie[/a]

No longer forces scroll up on click.

By @UwUQueen
12 Aug 2024 07:58

Bbcodes*

By @UwUQueen
12 Aug 2024 07:57

Bbcodes*

By @UwUQueen
12 Aug 2024 07:57

Shows*

By @UwUQueen
12 Aug 2024 07:56

shoes the full bbcode. This should happen with malformed a tag vbcodes

By @UwUQueen
12 Aug 2024 07:27

I have been able to get several more event handlers working in place of the "on click", which proves text replacing of words "javascript" "on click" etc will not address this issue correctly.

By @UwUQueen
12 Aug 2024 07:24

I know of several more event handlers that can take place of onClick event, that give same results as using onClick.

By @UwUQueen
12 Aug 2024 06:02

@HullBreach

By @UwUQueen
12 Aug 2024 05:58

Below code works still

You need to encode or replace the " and ' characters before processing bbcode, this will prevent all xss escapes. Replacing words like onClick or javascript with spaces is a bad approach that never ends, as so many different event handlers are able to be used.

By @UwUQueen
12 Aug 2024 05:50

Source: BBCode [a=#" style="color:red;" ontouchstart="this.parentElement.innerText='Your cookie is:'+document . cookie;]click to show cookie[/a]

By @UwUQueen
12 Aug 2024 05:48

The " ' should be replaced instead if spacing

By @UwUQueen
12 Aug 2024 05:47

Source: BBCode [a=#" style="color:red;" ontouchdown="this.parentElement.innerText='Your cookie is:'+document . cookie;]click to show cookie[/a]

By @UwUQueen
12 Aug 2024 05:46

Source: BBCode[ a=#" style="color:red;" ontouchdown="this.parentElement.innerText='Your cookie is:'+document . cookie;]click to show cookie[/a]

By @HullBreach
12 Aug 2024 00:48

fixed

By @UwUQueen
23 Jul 2024 00:26

`, " and ' should all be replaced htmlentities(). Using the ENT_QUOTES flag will handle both " and ', however it will not replace `, although i am unsure of any code that uses that character.

Relevant documentation https://www.php.net/manual/en/function.htmlentities.php

Applying [b]both this solution and below commented solutions will remove escaping or js execution.

By @UwUQueen
22 Jul 2024 20:53

Replacing javascript does not actually prevent javascript: from being placed in url/a tags.

By @UwUQueen
22 Jul 2024 20:51

Please create an allowlist for beginning of the regular expression some somthing like [http|https|#|/].*[/url]

By @UwUQueen
22 Jul 2024 20:48

This can be used in cookie hijacking attacks.

@UwUQueen marked this request as resolved.
23 Sep 2024 01:52

@UwUQueen reopened this request.
23 Sep 2024 01:52

@HullBreach left a reply.
23 Sep 2024 01:49

@HullBreach changed the hour estimate from 0.
23 Sep 2024 01:49

@HullBreach marked this request as resolved.
23 Sep 2024 01:49

@HullBreach left a reply.
23 Sep 2024 01:44

@HullBreach left a reply.
23 Sep 2024 01:28

@UwUQueen left a reply.
23 Sep 2024 01:22

@UwUQueen left a reply.
23 Sep 2024 00:42

@UwUQueen left a reply.
23 Sep 2024 00:40

@UwUQueen left a reply.
23 Sep 2024 00:39

@UwUQueen left a reply.
23 Sep 2024 00:37

@UwUQueen left a reply.
23 Sep 2024 00:35

@HullBreach left a reply.
23 Sep 2024 00:35

@HullBreach left a reply.
23 Sep 2024 00:32

@UwUQueen left a reply.
12 Aug 2024 08:17

@UwUQueen left a reply.
12 Aug 2024 08:15

@UwUQueen left a reply.
12 Aug 2024 08:13

@UwUQueen left a reply.
12 Aug 2024 07:58

@UwUQueen left a reply.
12 Aug 2024 07:57

@UwUQueen left a reply.
12 Aug 2024 07:57

@UwUQueen left a reply.
12 Aug 2024 07:56

@UwUQueen left a reply.
12 Aug 2024 07:27

@UwUQueen left a reply.
12 Aug 2024 07:24

@UwUQueen left a reply.
12 Aug 2024 06:02

@UwUQueen left a reply.
12 Aug 2024 05:58

@UwUQueen left a reply.
12 Aug 2024 05:50

@UwUQueen left a reply.
12 Aug 2024 05:48

@UwUQueen left a reply.
12 Aug 2024 05:47

@UwUQueen left a reply.
12 Aug 2024 05:46

@UwUQueen reopened this request.
12 Aug 2024 05:45

@HullBreach marked this request as resolved.
12 Aug 2024 00:48

@HullBreach left a reply.
12 Aug 2024 00:48

@UwUQueen left a reply.
23 Jul 2024 00:26

@HullBreach claimed ownership of this request.
22 Jul 2024 21:00

@UwUQueen left a reply.
22 Jul 2024 20:53

@UwUQueen left a reply.
22 Jul 2024 20:51

@UwUQueen left a reply.
22 Jul 2024 20:48

@UwUQueen set the priority.
22 Jul 2024 20:47

@UwUQueen created this request.
22 Jul 2024 20:46