Whats the use of the \t??

sharantyr

Hello.
I actually use a forum system that I wont name for security reasons 😉
Some people suggested a update because of a security flaw, so I checked what the update was for, and found out this :

old file
  if($allowhtml==0) $post=$this->convertHTML($post,false);
  else {
   $post=preg_replace("/<([\/]?)script([^>]*)>/i","&lt;\\1script\\2&gt;",$post);
   $post=preg_replace("/(<table[^>]*>)([^\\3]*)(<\/table>)/eiU","\"\\1\".\$this->formatTableTR('\\2').\"\\3\"",$post);
  }

new file
  // remove tab
  $post = str_replace("\t", " ", $post);

  if($allowhtml==0) $post=$this->convertHTML($post,false);
  else {
   $post=preg_replace("/<([\/]?)script([^>]*)>/i","&lt;\\1script\\2&gt;",$post);
   $post=preg_replace("/(<table[^>]*>)([^\\3]*)(<\/table>)/eiU","\"\\1\".\$this->formatTableTR('\\2').\"\\3\"",$post);
  }

So I d like to know what arethe potential risks to not use this fix, and how the \t could affect the preg replace function? Or would this affect html outpout and let user make some html + javascript injection?
Thanks for your help 🙂

tsinka

Hi,

the \t stands for a tab. The str_replace replaces each tab(ulator ) with a white space.

sharantyr

yes i understand the fix, but why they did it? how would \t affect the str_replace function? in THE OLD FILE!

laserlight

my guess is this:
They want to allow some html tags, and not others.
However, the checking mechanism does not take into account that whitespace within html tags may also be the tab characters.
As such, it is possible that the mechanism fails to detect a disallowed html tag while browsers continue to parse it.

By replacing tab chars with spaces, the checking mechanism will then work as expected.