Hi,

Is there a way to bypass the php strip_tags() function ?
In others workds is there a way to call javascript without any <script>, <img>, <style> tag ?

Tks,

" onwhatever=alert(1) a="

- or via UTF7 on IE6/7 under certain circumstances...
---
g:0in~/*for another*/~alert(!!1)
(Å='',[Ç=!(µ=!Å+Å)+{}][Ç[ª=µ[++Å]+µ[Å-Å],È=Å-~Å]+Ç[È+È]+ª])()[Ç[Å]+Ç[Å+Å]+µ[È]+ª](Å)
me || PHPIDS || Twitter || <malicious></markup>

strip_tags(), by itself, is somewhat difficult to bypass. strip_tags with allowed tags is trivial to bypass. But usually people use a few regexps along with it.

HTML Purifier - Standards Compliant HTML filtering

Quote:

But usually people use a few regexps along with it.

Which is pretty much the reason why there are still open jobs in IT Sec :)

---
g:0in~/*for another*/~alert(!!1)
(Å='',[Ç=!(µ=!Å+Å)+{}][Ç[ª=µ[++Å]+µ[Å-Å],È=Å-~Å]+Ç[È+È]+ª])()[Ç[Å]+Ç[Å+Å]+µ[È]+ª](Å)
me || PHPIDS || Twitter || <malicious></markup>

how secure is strip_tags() used together with mysql_real_escape_string ? does something bypass this?

It depends on what you mean by "secure". If you mean secure from SQL injections, mysql_real_escape_string alone will do the trick. If you mean for output, no. It's all insecure.

HTML Purifier - Standards Compliant HTML filtering

ok, so is there any point combining the two of them ?

It's better to just know when to use what. Nobody wants overhead in the database or the markup.

So the best practice is IMHO:

Input -> Validate -> Filter (CRLF, Ctrl-Chars) -> Escape -> Store -> Encode (Just the characters you need to encode) -> Output

Validation can be done via type check or regex, for filtering the ord() method does a great job, escaping is done by mysql_(real)_escape_string() and encoding is done by correctly parametrized htmlentities().

---
g:0in~/*for another*/~alert(!!1)
(Å='',[Ç=!(µ=!Å+Å)+{}][Ç[ª=µ[++Å]+µ[Å-Å],È=Å-~Å]+Ç[È+È]+ª])()[Ç[Å]+Ç[Å+Å]+µ[È]+ª](Å)
me || PHPIDS || Twitter || <malicious></markup>



Edited 1 time(s). Last edit at 03/04/2008 02:47AM by .mario.

oki :-) thanks

Totally agree with .mario. The key to effectively protecting your application is to validate when you receive data, use bindable queries in your database transactions, and to encode your output.

If you do each of these correctly you should be fairly safe from many of the biggest security threats out there.