Which of the following is a sensitive function of destoon? (bypass filtering)

The rich text is still not processed, and the dsafe function is bypassed again. Various browsers are provided with payload (FF and IE1789 are directly triggered, and other browsers click to trigger )... I learned how to "zoom in hazards" before. Please try again later ~~ Not to mention, the trigger point is in the position of the short message, so it can be used to specify the position. In http://wooyun.org/bugs/wooyun-2014-054857 You can find a previous vulnerability. Dsafe is a function used to filter XSS. After this vulnerability is handed in, destoon officially modifies dsafe. But I still failed to grasp the key points and was bypassed again. The trigger method is the same as that in the previous article. Let's see how it bypasses. The dsafe Function Code is as follows: first, the html symbol entity (& # xxx;) is matched and cleared. If & # xxx; is matched, strip_tags is used to filter all html tags. It's really tough... The nested bypassing method is not easy to use. But after reading the regular expression, the two are: "/\ <\! \-([\ S \ S] *?) \-\>/"," // \/\ * ([\ S \ S] *?) \ * \ // "Is cleared. The two are actually <! ----> And. So what will happen if we put one of them, such as/**/into & # xxx? & #/**/Xxx; it will not be matched by the previous if statement, and then be cleared at the end of/**/, with the remaining & # xxx; exactly constitute an html symbol entity. Therefore, we can use html entities to bypass some of the following keywords, such as expression and script, to construct an XSS object. If you send a short message, you can specify the XSS object. First, give a general XSS code for all browsers. Click to trigger payload: <a href = "java & #/**/115; usage: al & #/**/101; rt (docum & #/**/101; nt. cooki & #/*/101;) "style =" font-size: 500px; opacity: 0; "> click </a> I added a style =" font-size: 500px; opacity: 0 ;". For example, if you receive a short message with a link, you may not click it. However, if you receive a short message with a large blank area, you will be tempted. Therefore, I set the font size of a to PX and the transparency to 0, which is invisible as a hyperlink. This is not a so-called hazard amplification? Let's demonstrate it. First, log in to the short message, fill in the recipient and other information, and click send. Use burpsuite to capture packets and encode the above payload into the message [content] field. This is the result when the target is viewing the new short message: a large blank area. Click it to trigger it: loading remote js without demonstration... Keyword is bypassed with html entities. Directly trigger in IE: directly triggered in Firefox: <embed src = java & #/**/115; usage: al & #/**/101; rt (docum & #/**/101; nt. cooki & #/**/101;)>:
Solution: ubb or markdown replaces rich text.