Uploaded image for project: 'phpBB'
  1. phpBB
  2. PHPBB-10240

Word filter evasion

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Minor Minor
    • 3.0.10-RC1
    • 3.0.8
    • Posting
    • None

      The word filter can be easily evaded using control characters (unicode characters 00 - 0F). It does not work with NUL (00), but I have tested it with SOH and STX and it works with both of them. When the user posts, all they have to do is insert on of these control characters into the word they don't want to be filtered, and it is allowed in the post.

      My proposed fix, which I would be happy to implement myself, would be to simply strip all control characters from the post. I've never seen a control character used genuinely on a bulletin board.

      If you want to replicate this yourself and your keyboard doesn't allow you to type these characters, go into a javascript console (easiest) and type document.log('wo\u0001rd'). You will not be able to see the control character.

            bantu Andreas Fischer [X] (Inactive)
            callum95 callum95
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

              Created:
              Updated:
              Resolved: