#!/usr/bin/perl -w
use strict;
my $string = q|<STYLE TYPE="application/x-javascript" Language='Englis
+h' TYPE="application/x-javascript">|;
printf "%s\n", $string;
$string =~ s¡<STYLE\s([^>]*)>¡
{
my $trt = $1;
# $trt =~ s!type=\S+?(\s|"|')!TYPE="text/css"!igs;
$trt =~ s!type=\S+?[ '"]!TYPE="text/css"!igs;
qq(<STYLE $trt>)
}¡eigsx;
printf "%s\n", $string;
Also evil are object, applet and embed tags (i'm sure there are others).
update: a slightly smarter version #!/usr/bin/perl -w
use strict;
my $string = q|<STYLE TYPE="application/x-javascript" Language='Englis
+h' TYPE="application/x-javascript">|;
printf "%s\n", $string;
$string =~ s¡<STYLE\s([^>]*>)¡
{
my $trt = $1;
# $trt =~ s!type=\S+?(\s|"|')!TYPE="text/css"!igs;
$trt =~ s!type=\S+?[ '">]!TYPE="text/css"!igs;
$trt .= '>' if substr($trt,-1,1) ne '>';
qq(<STYLE $trt)
}¡eigsx;
printf "%s\n", $string;
update: OeufMayo says in the cb, what about: <a href="#" onClick="alert('evil javascript here');">
Well I thought htmlScreen would take care of it, but you do
override the filter $str.=htmlcode('parselinks','doctext,override');
... in parselinks ...
$text=htmlScreen($text,$APPROVED) unless $overridefilter eq "override"
+;
___crazyinsomniac_______________________________________
Disclaimer: Don't blame. It came from inside the void
perl -e "$q=$_;map({chr unpack qq;H*;,$_}split(q;;,q*H*));print;$q/$q;" |