Who is JP?



  • Found these comments when going through the source of a 4oD page (It was erroring and I wanted to watch 8 out of 10 cats... and was getting impatient with it.

     

     

    			/* 
    
    			JP says: I've amended this code somewhat.
    
    			There's nothing wrong with using inline javascript on 
    			the element onblur and onfocus attributes, but the tests
    			weren't particularly sophisticated, and there was no
    			behaviour defined for what should happen if the values
    			were functionally useless. Empty field? Submit it anyway! 
    			Entered text identical to default text, bar one character
    			or two? Submit it anyway!
    			
    			This stuff probably looks more complicated than it is.
    			
    		*/
    

    Also then found this:

     

    			function SearchAZTidy()
    			{
    				/*
    					JP says: RegExp left as is. This RegExp filters scripting abuses.
    				*/
    				var input	= document.getElementById ( "searchbar" ) ;
    				if ( input )
    				{
    					input.value	= input.value.replace(/(\\\\)|(<([^>]+)>)/ig, "" );
    					return false ;
    				}
    				return false ;
    			}
     

    Now, i'm not a big know it all about regex's. In fact, I really don't understand them that well. But is that seriously stripping out html from the search box?



  • @Marine said:

    Now, i'm not a big know it all about regex's. In fact, I really don't understand them that well. But is that seriously stripping out html from the search box?

    Yep, as well as any double backslashes.  I wonder what kind of processing they're doing on the input that could get confused by a double backslash but not a single one.  The check is done on the client end, so it's likely possible to bypass the "abuse filter" by crafting a suitable URL by hand.


  • Discourse touched me in a no-no place

    @tdb said:

    The check is done on the client end, so it's likely possible to bypass the "abuse filter" by crafting a suitable URL by hand.
    Too much work. Just take the check out with Firebug.



  • @Weng said:

    Too much work. Just take the check out with Firebug.

    Or even less effort just submit a malformed HTML tag. It only filters it if you close your tag but I'm willing to bet most modern browsers will be kind enough to go into quirks mode and render your HTML anyway (at least for simple tags like img :P). Or if you just want to be a bastard and don't care about exploting just submit <!-- and comment out the rest of the site :P It's amazing how many filters rely on better formed HTML than browsers need to render.



  • Wow! I got a little worried when I saw that headline that this was going to be something of mine, but I swear I didn't write that!


Log in to reply
 

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.