We use the payload : ?url=javascript://comment%250aalert(1)
, can be executed alert function:
In fact, where // represents the single-line comments in JavaScript, so the contents are behind the comment, why would execute alert function? That is because we are here with the character % 0A , the newline character is so alert statement with the comment symbol // is not on the same line, you will be able to perform. Of course, here we want to % percent-encoded as % 25 , because the program will be sent to the browser payload: javascript://comment%250aalert(1)
first decoded into: javascript://comment%0aalert(1)
stored in the variable $ url (second line on the chart), and then the user clicks on a link tag it will trigger the alert function.
The return value ¶
Returns the filtered data, or FALSE
if the filter fails.
filter_var : (PHP 5 >= 5.2.0, PHP 7)
Function : the use of a particular variable filters
定义 :mixed filter_var ( mixed
$variable
[, int$filter
= FILTER_DEFAULT [, mixed$options
]] )
For these two filters, we can consider using the javascript pseudo-protocol to bypass. To give you a better understanding, consider the following demo code
htmlspecialchars :(PHP 4, PHP 5, PHP 7)
Function : Convert special characters to HTML entities
定义 :string htmlspecialchars ( string $string
[, int $flags
= ENT_COMPAT | ENT_HTML401 [, string$encoding
= ini_get("default_charset") [, bool $double_encode
= TRUE ]]] )
& ( Ampersand ) =============== & amp ; "(double quote) =============== & quot; '(single quote) = & apos, ==============; <(less-than sign) =============== & lt; > (greater than) ======= ======== & gt;
Reference: [red security] code audit Day2 - filter_var function defects - prophet community https://xz.aliyun.com/t/2457