i have script pulls text api , sets tooltip in html.
<div class="item ttip" data-html="<?php echo $obj->titletag;?>">...</div> the api allows html , javascript entered on side field.
i tried $obj->titletag = htmlentities(strip_tags_content($this->channel->status)));
i had user entered following (or similar, blocked cannot check again):
\" <img src="xx" onerror=window.location.replace(https://www.youtube.com/watch?v=iaisudbjxj0)> which not caught above. str_replace window.location stuff, seems dirty. right approach? reading lot of "whitelists" don't understand concept such case.
//edit strip_tags_content comes here: https://php.net/strip_tags#86964
well, it's not tags you're replacing code within tags. need allow attributes in code rather stripping tags since you've got 1 tag in there ;)
what wanna check handlers being bound in js, full list here, , remove them if contains onerror or so
Comments
Post a Comment