Text field values containing 'onfocus'

This public forum is for user-to-user discussions of PHPMaker. Note that this is not support forum.
Post Reply
ppinto
User
Posts: 138

Text field values containing 'onfocus'

Post by ppinto »

Hi all,

In a text field, if you type some text containing '...onfocus...', then save, then edit the record again, it turns into '...on<x>focus...'
(Same thing happens if text contains 'onblur', 'onchange', 'onselect', etc.)

Any ideas?

Cheers

Pedro


arbei
User
Posts: 9288

Post by arbei »

It is the feature of "Remove XSS", read the help file topic: "Tools" -> "Advanced Settings" -> "Remove RXX" for your information.


mobhar
User
Posts: 11660

Post by mobhar »

You should not disable "Remove XSS" setting for the Security reason.

Alternatively, you may simply remove only the certain words based on your needs from "EW_XSS_ARRAY" variable in the generated "ewcfg*.php" file.


ppinto
User
Posts: 138

Post by ppinto »

I'd like to get rid of this error without compromising security.
My specific case is having the word attentionfocus turned into attention<x>focus.
Any way I can modify function ew_RemoveXSS, so that the terms in $EW_XSS_ARRAY could be like '\bonfocus\b' instead of just 'onfocus'?
This would avoid changing false positives detected as XSS...


ppinto
User
Posts: 138

Post by ppinto »

I changed function ew_RemoveXSS in phpfn14.php. Added a few lines of code to add '\b' to the beginning (and\or end) of the pattern string if the first (and\or last) character is alphabetic. Is this safe?
Here's the last part of the function. The first part is unchanged:

// Now the only remaining whitespace attacks are \t, \n, and \r 
$ra = $GLOBALS["EW_XSS_ARRAY"]; // Note: Customize $EW_XSS_ARRAY in ewcfg*.php
$found = true; // Keep replacing as long as the previous round replaced something 
while ($found == true) { 
   $val_before = $val; 
   for ($i = 0; $i < sizeof($ra); $i++) { 
      $pattern = '/';   
      for ($j = 0; $j < strlen($ra[$i]); $j++) {
         //my custom code1 ------------------------------------------------------------------
         if (($j == 0) && (preg_match('/[a-z]/i', $ra[$i][$j]))) {
            $pattern .= '\b'; //add if first character is alphabetic
         } //my custom code1 - end ----------------------------------------------------------
         if ($j > 0) { 
            $pattern .= '('; 
            $pattern .= '(&#[x|X]0{0,8}([9][a][b]);?)?'; 
            $pattern .= '|(&#0{0,8}([9][10][13]);?)?'; 
            $pattern .= ')?'; 
         }  
         $pattern .= $ra[$i][$j];
         //my custom code2 -----------------------------------------------------------------
         if (($j == (strlen($ra[$i]) -1)) && (preg_match('/[a-z]/i', $ra[$i][$j]))) {
            $pattern .= '\b'; //add if last character is alphabetic
         } //my custom code2 - end ---------------------------------------------------------
      } 
      $pattern .= '/i'; 
      $replacement = substr($ra[$i], 0, 2).'<x>'.substr($ra[$i], 2); // Add in <> to nerf the tag 
      $val = preg_replace($pattern, $replacement, $val); // Filter out the hex tags 
      if ($val_before == $val) { 

         // No replacements were made, so exit the loop 
         $found = false; 
      } 
   } 
} 
return $val;

Post Reply