search

milesj / decoda

A lightweight lexical string parser for BBCode styled markup.
MIT License
196 stars 52 forks source link

XSS #7

Closed fantgeass closed 12 years ago

fantgeass commented 12 years ago 
<?php
$string = "<script>alert('I can use xss');</script>";
$code = new Decoda($string);
$code->defaults();
echo $code->parse();
milesj commented 12 years ago

Well thats a pretty big oversight. Could of sworn I had a strip_tags() in the code.

fantgeass commented 12 years ago 
<?php
$string = strip_tags('[code]<?php echo 123; ?>[/code]');
$code = new Decoda($string);
$code->defaults();
echo $code->parse();  // <pre class="decoda-code code-php"></pre>
milesj commented 12 years ago

Pushed v3.2, will tag after a bit more testing.