|
|
@@ -142,27 +142,23 @@ function testSqlAndScriptInject($val, $type)
|
|
|
}
|
|
|
$inj += preg_match('/base\s+href/si', $val);
|
|
|
$inj += preg_match('/=data:/si', $val);
|
|
|
- // List of dom events is on https://www.w3schools.com/jsref/dom_obj_event.asp
|
|
|
- $inj += preg_match('/onmouse([a-z]*)\s*=/i', $val); // onmousexxx can be set on img or any html tag like <img title='...' onmouseover=alert(1)>
|
|
|
- $inj += preg_match('/ondrag([a-z]*)\s*=/i', $val); //
|
|
|
- $inj += preg_match('/ontouch([a-z]*)\s*=/i', $val); //
|
|
|
- $inj += preg_match('/on(abort|afterprint|beforeprint|beforeunload|blur|canplay|canplaythrough|change|click|contextmenu|copy|cut)\s*=/i', $val);
|
|
|
- $inj += preg_match('/on(dblclick|drop|durationchange|ended|error|focus|focusin|focusout|hashchange|input|invalid)\s*=/i', $val);
|
|
|
- $inj += preg_match('/on(keydown|keypress|keyup|load|loadeddata|loadedmetadata|loadstart|loadend|offline|online|pagehide|pageshow)\s*=/i', $val);
|
|
|
- $inj += preg_match('/on(paste|pause|play|playing|progress|ratechange|resize|reset|scroll|search|seeking|select|show|stalled|start|submit|suspend)\s*=/i', $val);
|
|
|
- $inj += preg_match('/on(timeupdate|toggle|unload|volumechange|waiting)\s*=/i', $val);
|
|
|
+ // List of dom events is on https://www.w3schools.com/jsref/dom_obj_event.asp and https://developer.mozilla.org/en-US/docs/Web/API/GlobalEventHandlers
|
|
|
+ $inj += preg_match('/on(mouse|drag|key|load|touch|pointer|select|transition)([a-z]*)\s*=/i', $val); // onmousexxx can be set on img or any html tag like <img title='...' onmouseover=alert(1)>
|
|
|
+ $inj += preg_match('/on(abort|afterprint|animation|auxclick|beforeprint|beforeunload|blur|cancel|canplay|canplaythrough|change|click|close|contextmenu|cuechange|copy|cut)\s*=/i', $val);
|
|
|
+ $inj += preg_match('/on(lostpointercapture|dblclick|drop|durationchange|ended|error|focus|focusin|focusout|formdata|gotpointercapture|hashchange|input|invalid)\s*=/i', $val);
|
|
|
+ $inj += preg_match('/on(offline|online|pagehide|pageshow)\s*=/i', $val);
|
|
|
+ $inj += preg_match('/on(paste|pause|play|playing|progress|ratechange|reset|resize|scroll|search|seeking|show|stalled|start|submit|suspend)\s*=/i', $val);
|
|
|
+ $inj += preg_match('/on(timeupdate|toggle|unload|volumechange|waiting|wheel)\s*=/i', $val);
|
|
|
|
|
|
// We refuse html into html because some hacks try to obfuscate evil strings by inserting HTML into HTML. Example: <img on<a>error=alert(1) to bypass test on onerror
|
|
|
$tmpval = preg_replace('/<[^<]+>/', '', $val);
|
|
|
- // List of dom events is on https://www.w3schools.com/jsref/dom_obj_event.asp
|
|
|
- $inj += preg_match('/onmouse([a-z]*)\s*=/i', $tmpval); // onmousexxx can be set on img or any html tag like <img title='...' onmouseover=alert(1)>
|
|
|
- $inj += preg_match('/ondrag([a-z]*)\s*=/i', $tmpval); //
|
|
|
- $inj += preg_match('/ontouch([a-z]*)\s*=/i', $tmpval); //
|
|
|
- $inj += preg_match('/on(abort|afterprint|beforeprint|beforeunload|blur|canplay|canplaythrough|change|click|contextmenu|copy|cut)\s*=/i', $tmpval);
|
|
|
- $inj += preg_match('/on(dblclick|drop|durationchange|ended|error|focus|focusin|focusout|hashchange|input|invalid)\s*=/i', $tmpval);
|
|
|
- $inj += preg_match('/on(keydown|keypress|keyup|load|loadeddata|loadedmetadata|loadstart|loadend|offline|online|pagehide|pageshow)\s*=/i', $tmpval);
|
|
|
- $inj += preg_match('/on(paste|pause|play|playing|progress|ratechange|resize|reset|scroll|search|seeking|select|show|stalled|start|submit|suspend)\s*=/i', $tmpval);
|
|
|
- $inj += preg_match('/on(timeupdate|toggle|unload|volumechange|waiting)\s*=/i', $tmpval);
|
|
|
+ // List of dom events is on https://www.w3schools.com/jsref/dom_obj_event.asp and https://developer.mozilla.org/en-US/docs/Web/API/GlobalEventHandlers
|
|
|
+ $inj += preg_match('/on(mouse|drag|key|load|touch|pointer|select|transition)([a-z]*)\s*=/i', $val); // onmousexxx can be set on img or any html tag like <img title='...' onmouseover=alert(1)>
|
|
|
+ $inj += preg_match('/on(abort|afterprint|animation|auxclick|beforeprint|beforeunload|blur|cancel|canplay|canplaythrough|change|click|close|contextmenu|cuechange|copy|cut)\s*=/i', $tmpval);
|
|
|
+ $inj += preg_match('/on(dblclick|drop|durationchange|ended|error|focus|focusin|focusout|formdata|gotpointercapture|hashchange|input|invalid)\s*=/i', $tmpval);
|
|
|
+ $inj += preg_match('/on(lostpointercapture|offline|online|pagehide|pageshow)\s*=/i', $tmpval);
|
|
|
+ $inj += preg_match('/on(paste|pause|play|playing|progress|ratechange|reset|resize|scroll|search|seeking|show|stalled|start|submit|suspend)\s*=/i', $tmpval);
|
|
|
+ $inj += preg_match('/on(timeupdate|toggle|unload|volumechange|waiting|wheel)\s*=/i', $tmpval);
|
|
|
|
|
|
//$inj += preg_match('/on[A-Z][a-z]+\*=/', $val); // To lock event handlers onAbort(), ...
|
|
|
$inj += preg_match('/:|:|:/i', $val); // refused string ':' encoded (no reason to have it encoded) to lock 'javascript:...'
|
Laurent Destailleur