Uploaded image for project: 'phpBB3'
  1. phpBB3
  2. PHPBB3-10240

Word filter evasion

    XMLWordPrintable

Details

    • Bug
    • Status: Closed (View Workflow)
    • Minor
    • Resolution: Fixed
    • 3.0.8
    • 3.0.10-RC1
    • Posting
    • None

    Description

      The word filter can be easily evaded using control characters (unicode characters 00 - 0F). It does not work with NUL (00), but I have tested it with SOH and STX and it works with both of them. When the user posts, all they have to do is insert on of these control characters into the word they don't want to be filtered, and it is allowed in the post.

      My proposed fix, which I would be happy to implement myself, would be to simply strip all control characters from the post. I've never seen a control character used genuinely on a bulletin board.

      If you want to replicate this yourself and your keyboard doesn't allow you to type these characters, go into a javascript console (easiest) and type document.log('wo\u0001rd'). You will not be able to see the control character.

      Attachments

        Activity

          People

            bantu Andreas Fischer
            callum95 callum95
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: