Hi all,
In a text field, if you type some text containing '...onfocus...', then save, then edit the record again, it turns into '...on<x>focus...'
(Same thing happens if text contains 'onblur', 'onchange', 'onselect', etc.)
Any ideas?
Cheers
Pedro
It is the feature of "Remove XSS", read the help file topic: "Tools" -> "Advanced Settings" -> "Remove RXX" for your information.
You should not disable "Remove XSS" setting for the Security reason.
Alternatively, you may simply remove only the certain words based on your needs from "EW_XSS_ARRAY" variable in the generated "ewcfg*.php" file.
I'd like to get rid of this error without compromising security.
My specific case is having the word attentionfocus turned into attention<x>focus.
Any way I can modify function ew_RemoveXSS, so that the terms in $EW_XSS_ARRAY could be like '\bonfocus\b' instead of just 'onfocus'?
This would avoid changing false positives detected as XSS...
I changed function ew_RemoveXSS in phpfn14.php. Added a few lines of code to add '\b' to the beginning (and\or end) of the pattern string if the first (and\or last) character is alphabetic. Is this safe?
Here's the last part of the function. The first part is unchanged:
// Now the only remaining whitespace attacks are \t, \n, and \r
$ra = $GLOBALS["EW_XSS_ARRAY"]; // Note: Customize $EW_XSS_ARRAY in ewcfg*.php
$found = true; // Keep replacing as long as the previous round replaced something
while ($found == true) {
$val_before = $val;
for ($i = 0; $i < sizeof($ra); $i++) {
$pattern = '/';
for ($j = 0; $j < strlen($ra[$i]); $j++) {
//my custom code1 ------------------------------------------------------------------
if (($j == 0) && (preg_match('/[a-z]/i', $ra[$i][$j]))) {
$pattern .= '\b'; //add if first character is alphabetic
} //my custom code1 - end ----------------------------------------------------------
if ($j > 0) {
$pattern .= '(';
$pattern .= '(&#[x|X]0{0,8}([9][a][b]);?)?';
$pattern .= '|(�{0,8}([9][10][13]);?)?';
$pattern .= ')?';
}
$pattern .= $ra[$i][$j];
//my custom code2 -----------------------------------------------------------------
if (($j == (strlen($ra[$i]) -1)) && (preg_match('/[a-z]/i', $ra[$i][$j]))) {
$pattern .= '\b'; //add if last character is alphabetic
} //my custom code2 - end ---------------------------------------------------------
}
$pattern .= '/i';
$replacement = substr($ra[$i], 0, 2).'<x>'.substr($ra[$i], 2); // Add in <> to nerf the tag
$val = preg_replace($pattern, $replacement, $val); // Filter out the hex tags
if ($val_before == $val) {
// No replacements were made, so exit the loop
$found = false;
}
}
}
return $val;