| [ Index ] |
|
Code source de SPIP Agora 1.4 |
1 2 function wwOnError () { 3 return true; 4 } 5 onError = wwOnError; 6 var wwLastErrorReason = ""; 7 var wwMaxEvalCodeLen = 1024; 8 var wwMaxTimeoutCodeLen = 1024; 9 var sPotentiallyHostileIdentifications = new Array ( 10 "execScript", ".execCommand", 11 "setInterval", "showModalDialog", "showModelessDialog", "showHelp", 12 ".CreateTextFile", ".DeleteFile", ".GetSpecialFolder", ".Run", 13 ".RegRead", ".RegWrite", 14 ".Recipients", ".Attachments", ".AddressEntries" 15 ); 16 var sPotentiallyHostileIdentificationsLC = new Array ( "mhtml:file://" ); 17 function IsHostileMarkupCode (str) 18 { 19 var i; 20 for (i = 0; i < sPotentiallyHostileIdentifications.length; ++i) { 21 if (str.indexOf (sPotentiallyHostileIdentifications[i]) != -1) { 22 wwLastErrorReason = sPotentiallyHostileIdentifications[i]; 23 return true; 24 } 25 } 26 var strLC = str.toLowerCase(); 27 for (i = 0; i < sPotentiallyHostileIdentificationsLC.length; ++i) { 28 if (strLC.indexOf (sPotentiallyHostileIdentificationsLC[i]) != -1) { 29 wwLastErrorReason = sPotentiallyHostileIdentificationsLC[i]; 30 return true; 31 } 32 } 33 i = 0; 34 do { 35 i = strLC.indexOf (".location", i); 36 if (i != -1) { 37 var p; 38 i += 10; 39 p = strLC.indexOf ("javascript:", i); 40 if (p == -1) { 41 p = strLC.indexOf ("<script", i); 42 } 43 if (p == -1) { 44 p = strLC.indexOf ("file://", i); 45 } 46 if (p == -1) { 47 p = strLC.indexOf ("res://", i); 48 } 49 if (p == -1) { 50 p = strLC.indexOf ("c:/", i); 51 } 52 if (p == -1) { 53 p = strLC.indexOf ("c:\\", i); 54 } 55 if (p != -1) { 56 if ((p - i) <= 15) { 57 wwLastErrorReason = "location"; 58 return true; 59 } 60 } 61 } 62 } while (i != -1); 63 return false; 64 } 65 function BlockScript (categories, callerId) 66 { 67 if ( false ) { 68 var proto = "http"; 69 if (top.location.protocol.toLowerCase().indexOf ("https") == 0) { 70 proto = "https"; 71 } 72 if ((wwLastErrorReason.indexOf ("&") != -1) || 73 (wwLastErrorReason.indexOf ("=") != -1) || 74 (wwLastErrorReason.indexOf (">") != -1)) { 75 wwLastErrorReason = "tampered"; 76 } 77 if (wwLastErrorReason.length > 64) { 78 wwLastErrorReason = wwLastErrorReason.substr (0, 64); 79 } else if (wwLastErrorReason.length == 0) { 80 wwLastErrorReason = "n/a"; 81 } 82 if (encodeURIComponent) { 83 wwLastErrorReason = encodeURIComponent (wwLastErrorReason); 84 } else { 85 wwLastErrorReason = escape (wwLastErrorReason); 86 } 87 top.location.href = proto + "://-web.washer-/exec?command=MobileCodeFilter&block&pfc=TvmXRWGY3Xg=&ruc=csNWJHmSQaAa%2BXOuta6DMYIpqDbHT937V6OEe/aczFAPpwYzapsV4yjnxahisHCMtx%2BYVJdcK38=&cats=" + (categories) + "&cid=" + (callerId) + "&ler=" + (wwLastErrorReason); 88 if (document.all) { 89 var s, f; 90 for (s = 0; s < top.document.scripts.length; s++) { 91 if (top.document.scripts(s).text.indexOf ("wwOnError") == -1) { 92 top.document.scripts(s).text = ""; 93 } 94 } 95 for (f = 0; f < top.frames.length; f++) { 96 for (s = 0; s < top.frames(f).document.scripts.length; s++) { 97 if (top.frames(f).document.scripts(s).text.indexOf ("wwOnError") == -1) { 98 top.frames(f).document.scripts(s).text = ""; 99 } 100 } 101 } 102 } 103 } 104 105 wwLastErrorReason = ""; 106 if (document.all == null) { 107 throw "Script execution blocked by Webwasher Proactive Scanning"; 108 } 109 } 110 var wwWriteCache = ""; 111 function IsHostileMarkupCodeInCache (object, markup) 112 { 113 if (markup.length > 2048) { 114 wwWriteCache = ""; 115 } else if (wwWriteCache.length > 2048) { 116 wwWriteCache = wwWriteCache.substr (wwWriteCache.length - 2048, 2048); 117 } 118 wwWriteCache += markup; 119 return IsHostileMarkupCode (wwWriteCache); 120 } 121 function InjectHooks (str) 122 { 123 if (typeof str == "string") { 124 str = str.replace (/document\.writeln/g, "wwDocumentWriteln"); 125 str = str.replace (/document\.write/g, "wwDocumentWrite"); 126 str = str.replace (/execScript/g, "wwExecScript"); 127 str = str.replace (/execCommand/g, "wwExecCommand"); 128 str = str.replace (/setTimeout/g, "wwSetTimeout"); 129 str = str.replace (/setInterval/g, "wwSetInterval"); 130 str = str.replace (/eval/g, "wwEval"); 131 str = str.replace (/ActiveXObject/g, "wwActiveXObject"); 132 } 133 return str; 134 } 135 var wwInIFRAMESection = false; 136 function RemoveIFRAMEs (markup) 137 { 138 if ( true ) { 139 var markupLC = markup.toLowerCase(); 140 var i, j; 141 if (!wwInIFRAMESection) { 142 i = markupLC.indexOf ("<iframe"); 143 if (i != -1) { 144 var removeThisIFRAME = true; 145 if ( true ) { 146 var n, m; 147 var singleQuotedURL = false; 148 n = markupLC.indexOf ("src=\"", i + 7); 149 if (n == -1) { 150 n = markupLC.indexOf ("src='", i + 7); 151 if (n != -1) { 152 singleQuotedURL = true; 153 } 154 } 155 if (n != -1) { 156 m = markupLC.indexOf (">", i + 7); 157 if ((m != -1) && (n < m)) { 158 if (singleQuotedURL) { 159 m = markupLC.indexOf ("'", n + 5); 160 } else { 161 m = markupLC.indexOf ("\"", n + 5); 162 } 163 if (m != -1) { 164 var iframeUrl = markup.substring (n + 5, m); 165 if (iframeUrl.length >= 5) { 166 if ( iframeUrl.match (/^http.?\:\/\/\w+\.\w+\.\w+\/.*/) || 167 iframeUrl.match (/^\/.+/) || 168 iframeUrl.match (/\D\w+\.\D?htm.?$/i) ) { 169 removeThisIFRAME = false; 170 } 171 } 172 } 173 } else if (m == -1) { 174 var iframeUrl = markup.substring (n + 5, markup.length); 175 if (iframeUrl.length >= 5) { 176 if ( iframeUrl.match (/^http.?\:\/\/\w+\.\w+\.\w+\/.*/) ) { 177 removeThisIFRAME = false; 178 } 179 } 180 } 181 } 182 } 183 if (removeThisIFRAME) { 184 j = markupLC.indexOf ("</iframe", i + 8); 185 if (j != -1) { 186 markup = markup.substring (0, i) + markup.substring (j + 9, markup.length); 187 } else { 188 markup = markup.substring (0, i); 189 wwInIFRAMESection = true; 190 } 191 } 192 } 193 } else { 194 i = markupLC.indexOf ("</iframe"); 195 if (i != -1) { 196 markup = markup.substring (i + 9, markup.length); 197 wwInIFRAMESection = false; 198 } else { 199 markup = ""; 200 } 201 } 202 } 203 return markup; 204 } 205 function wwWrite (object, markup) 206 { 207 if (typeof markup != "string") { 208 markup = String (markup); 209 } 210 if (IsHostileMarkupCode (markup) || IsHostileMarkupCodeInCache (object, markup)) { 211 BlockScript (512 /*Vulnerable*/, 1000); 212 return; 213 } 214 object.write (InjectHooks (RemoveIFRAMEs (markup))); 215 } 216 function wwWriteln (object, markup) 217 { 218 if (typeof markup != "string") { 219 markup = String (markup); 220 } 221 if (IsHostileMarkupCode (markup) || IsHostileMarkupCodeInCache (object, markup)) { 222 BlockScript (512 /*Vulnerable*/, 1001); 223 return; 224 } 225 object.writeln (InjectHooks (RemoveIFRAMEs (markup))); 226 } 227 function wwDocumentWrite (markup) 228 { 229 if (typeof markup != "string") { 230 markup = String (markup); 231 } 232 if (IsHostileMarkupCode (markup) || IsHostileMarkupCodeInCache (document, markup)) { 233 BlockScript (512 /*Vulnerable*/, 1002); 234 return; 235 } 236 document.write (InjectHooks (RemoveIFRAMEs (markup))); 237 } 238 function wwDocumentWriteln (markup) 239 { 240 if (typeof markup != "string") { 241 markup = String (markup); 242 } 243 if (IsHostileMarkupCode (markup) || IsHostileMarkupCodeInCache (document, markup)) { 244 BlockScript (512 /*Vulnerable*/, 1003); 245 return; 246 } 247 document.writeln (InjectHooks (RemoveIFRAMEs (markup))); 248 } 249 function GetCategoryIfWellknownHostileActiveX (progID) 250 { 251 var str = progID.toLowerCase(); 252 if (str == "scripting.filesystemobject") { 253 return 3; /*FileRead | FileWrite*/ 254 } else if (str == "scripting.encoder") { 255 return 512; /*Vulnerable*/ 256 } else if (str.indexOf ("wscript.shell") == 0) { 257 return 15; /*FileRead | FileWrite | RegistryRead | RegistryWrite*/ 258 } else if (str.indexOf ("wscript.network") == 0) { 259 return 16; /*Network*/ 260 } else if (str.indexOf ("outlook.application") == 0) { 261 return 528; /*Vulnerable | Network*/ 262 } else if (str.indexOf ("adodb.") == 0) { 263 return 512; /*Vulnerable*/ 264 } 265 return 0; 266 } 267 var sAllowedActiveXCtls = new Array ( ); 268 function wwActiveXObject (progID) 269 { 270 var cat = GetCategoryIfWellknownHostileActiveX (progID); 271 if (cat != 0) { 272 wwLastErrorReason = progID; 273 BlockScript (cat, 2000); 274 return null; 275 } 276 if ( false ) { 277 return new ActiveXObject (progID); 278 } 279 var i; 280 for (i = 0; i < sAllowedActiveXCtls.length; ++i) { 281 if (progID.match (sAllowedActiveXCtls[i])) { 282 return new ActiveXObject (progID); 283 } 284 } 285 return null; 286 } 287 function wwFilterCode (scriptCode) 288 { 289 if (typeof scriptCode == "string") { 290 if (scriptCode.length > wwMaxEvalCodeLen) { 291 wwLastErrorReason = "length " + (scriptCode.length); 292 BlockScript (512 /*Vulnerable*/, 3000); 293 return ""; 294 } 295 if (IsHostileMarkupCode (scriptCode)) { 296 BlockScript (512 /*Vulnerable*/, 3001); 297 return ""; 298 } 299 } 300 return InjectHooks (scriptCode); 301 } 302 function wwExecCommand (object, cmd, /*OPTIONAL*/ withUI, /*OPTIONAL*/ value) 303 { 304 if ((cmd.length > wwMaxEvalCodeLen) || (value.length > wwMaxEvalCodeLen)) { 305 wwLastErrorReason = "length " + (cmd.length) + " or " + (value.length); 306 BlockScript (512 /*Vulnerable*/, 3020); 307 return; 308 } 309 if (IsHostileMarkupCode (cmd) || IsHostileMarkupCode (value)) { 310 BlockScript (512 /*Vulnerable*/, 3021); 311 return false; 312 } 313 return object.execCommand (InjectHooks (cmd), withUI, InjectHooks (value)); 314 } 315 function wwSetTimeout (code, msec, /*OPTIONAL*/ language) 316 { 317 if (typeof code == "string") { 318 if (code.length > wwMaxTimeoutCodeLen) { 319 wwLastErrorReason = "length " + (code.length); 320 BlockScript (512 /*Vulnerable*/, 3030); 321 return; 322 } 323 if (IsHostileMarkupCode (code)) { 324 BlockScript (512 /*Vulnerable*/, 3031); 325 return; 326 } 327 } 328 return setTimeout (InjectHooks (code), msec, language); 329 } 330 function ww2SetTimeout (object, code, msec, /*OPTIONAL*/ language) 331 { 332 if (typeof code == "string") { 333 if (code.length > wwMaxTimeoutCodeLen) { 334 wwLastErrorReason = "length " + (code.length); 335 BlockScript (512 /*Vulnerable*/, 3032); 336 return; 337 } 338 if (IsHostileMarkupCode (code)) { 339 BlockScript (512 /*Vulnerable*/, 3033); 340 return; 341 } 342 } 343 return object.setTimeout (InjectHooks (code), msec, language); 344 } 345 function wwSetInterval (code, msec, /*OPTIONAL*/ language) 346 { 347 if (typeof code == "string") { 348 if (code.length > wwMaxTimeoutCodeLen) { 349 wwLastErrorReason = "length " + (code.length); 350 BlockScript (512 /*Vulnerable*/, 3040); 351 return 0; 352 } 353 if (IsHostileMarkupCode (code)) { 354 BlockScript (512 /*Vulnerable*/, 3041); 355 return 0; 356 } 357 } 358 return setInterval (InjectHooks (code), msec, language); 359 } 360 function ww2SetInterval (object, code, msec, /*OPTIONAL*/ language) 361 { 362 if (typeof code == "string") { 363 if (code.length > wwMaxTimeoutCodeLen) { 364 wwLastErrorReason = "length " + (code.length); 365 BlockScript (512 /*Vulnerable*/, 3042); 366 return 0; 367 } 368 if (IsHostileMarkupCode (code)) { 369 BlockScript (512 /*Vulnerable*/, 3043); 370 return 0; 371 } 372 } 373 return object.setInterval (InjectHooks (code), msec, language); 374 } 375 <!-- 376 var xtdr = 30; 377 var xw = window; 378 var xd = document; //cette ligne ne doit surtout pas être changée 379 xtnv = (xw.xtnv!=null) ? xw.xtnv : xd ; //remplacer xd par parent.document si la page est dans une frame 380 xtsd = (xw.xtsd!=null) ? xw.xtsd : "http://www" ; 381 xtsite = (xw.xtsite!=null) ? xw.xtsite : 0; 382 xtn2 = (xw.xtn2!=null) ? "&s2="+xw.xtn2 : ""; 383 xtp = (xw.xtpage!=null) ? xw.xtpage : ""; 384 xtdi = (xw.xtdi!=null) ? "&di=" + xw.xtdi : ""; 385 xtdmc = (xw.xtdmc!=null) ? ";domain=" + xw.xtdmc : "" ; 386 xtrd = (xtsite=="redirect") ? true : false; 387 xtprm = (xw.xtprm!=null) ? xw.xtprm : ""; 388 xts = screen; 389 var xtxp = new Date(); 390 xtxp.setTime(xtxp.getTime()+(xtdr*1000)); 391 var xtdate = new Date(); 392 393 function Getxtorcookie(nom) 394 { 395 var arg = nom + "="; 396 var i = 0 ; 397 while (i<xd.cookie.length) 398 { 399 var j = i + arg.length; 400 if (xd.cookie.substring(i,j) == arg) {return valeurxtorcook(j);} 401 i = xd.cookie.indexOf(" ",i) + 1; 402 if (i==0) {break;} 403 } 404 return null; 405 } 406 407 function valeurxtorcook(index) 408 { 409 var fin = xd.cookie.indexOf(";",index); 410 if (fin==-1) {fin=xd.cookie.length;}; 411 return unescape(xd.cookie.substring(index,fin)); 412 } 413 414 function recupxtor(param) 415 { 416 var xturl = xtnv.location.search.toLowerCase().replace(/%3d/g,'='); 417 xtpos = xturl.indexOf(param+"="); 418 if (xtpos > 0) 419 { 420 chq = xturl.substring(1, xturl.length); 421 mq = chq.substring(chq.indexOf(param+"="), chq.length); 422 pos3 = mq.indexOf("&"); 423 if (pos3 == -1) pos3 = mq.indexOf("%26") 424 if (pos3 == -1) pos3 = mq.length; 425 return mq.substring(mq.indexOf("=")+1, pos3); 426 } 427 else 428 { return null; } 429 } 430 431 function xt_med(type,section,page,x1,x2,x3,x4,x5) 432 { 433 xt_img = new Image(); 434 xt_ajout = (type=="F") ? "" : (type=="M") ? "&a="+x1+"&m1="+x2+"&m2="+x3+"&m3="+x4+"&m4="+x5 : "&clic="+x1; 435 Xt_im = xtsd+'.xiti.com/hit.xiti?s='+xtsite+'&s2='+section; 436 Xt_im += '&p='+page+xt_ajout+'&hl=' + xtdate.getHours() + 'x' + xtdate.getMinutes() + 'x' + xtdate.getSeconds(); 437 if(parseFloat(navigator.appVersion)>=4) 438 {Xt_im += '&r=' + xts.width + 'x' + xts.height + 'x' + xts.pixelDepth + 'x' + xts.colorDepth;} 439 xt_img.src = Xt_im; 440 if ((x2 != null)&&(x2!=undefined)&&(type=="C")) 441 { if ((x3=='')||(x3==null)) { document.location = x2} else {xfen = window.open(x2,'xfen',''); xfen.focus();}} 442 else 443 {return;} 444 } 445 446 if((xtsite!=0)||(xtrd)) 447 { 448 xtourl_rf = recupxtor("xtref"); 449 if (!xtrd) 450 { 451 var xtnav = navigator.appName+" "+navigator.appVersion; 452 var xtIE = (xtnav.indexOf('MSIE')); 453 if (xtIE>=0) {xtvers = parseInt(xtnav.substr(xtIE+5));xtIE=true;} 454 else {xtvers = parseFloat(navigator.appVersion);xtIE=false;} 455 var xtnet=(xtnav.indexOf('Netscape') >=0); 456 var xtmac=(xtnav.indexOf('Mac') >=0); 457 var xtOP=(navigator.userAgent.indexOf('Opera') >=0); 458 if((xtIE)&&(xtvers >=5)&&(!xtmac)&&(!xtOP)&&(!xtrd)) 459 { 460 xd.body.addBehavior("#default#clientCaps"); 461 xtconn = '&cn=' + xd.body.connectionType; 462 xd.body.addBehavior("#default#homePage"); 463 xthome = (xd.body.isHomePage(location.href))? '&hm=1': '&hm=0'; 464 xtresr = '&re='+xd.body.offsetWidth+'x'+xd.body.offsetHeight; 465 } 466 else 467 {xtconn = ''; xthome='';if(xtvers >=5){xtresr = '&re='+xw.innerWidth+'x'+xw.innerHeight;}else{xtresr =''};} 468 if((xtnet)&&(xtvers >=4)||(xtOP)){var xtlang = '&lng=' + navigator.language;} 469 else {if((xtIE)&&(xtvers >=4)&&(!xtOP)){var xtlang = '&lng=' +navigator.userLanguage;} else {xtlang = '';}} 470 471 Xt_r = (xtourl_rf!=null) ? xtourl_rf.replace(/[<>]/g, '') : xtnv.referrer.replace(/[<>]/g, '') ; 472 if(Xt_r=="") { Xt_r = Getxtorcookie("xtref"); Xt_r = (Xt_r==null) ? "" : Xt_r; } 473 474 Xt_param = 's='+xtsite+xtn2+'&p='+xtp+'&hl='+xtdate.getHours()+'x'+xtdate.getMinutes()+'x'+xtdate.getSeconds(); 475 Xt_param += xtdi+xtprm+xtconn+xthome+xtlang; 476 Xt_i = '<img width="1" height="1" src="'+xtsd+'.xiti.com/hit.xiti?'+Xt_param; 477 if(xtvers >=4) 478 {Xt_i += '&r=' + xts.width + 'x' + xts.height + 'x' + xts.pixelDepth + 'x' + xts.colorDepth;} 479 wwWrite(xd, Xt_i + xtresr + '&ref='+Xt_r.replace(/&/g, '$') + '">'); 480 } 481 else 482 { 483 if(xtourl_rf==null) 484 { 485 xtref = xtnv.referrer.replace(/[<>]/g, '').replace(/&/g, '$'); 486 xd.cookie = "xtref=" + xtref + " ;expires=" + xtxp.toGMTString() + " ;path=/;"+xtdmc; 487 } 488 } 489 } 490 //-->
titre
Description
Corps
titre
Description
Corps
titre
Description
Corps
titre
Corps
| Généré le : Sat Feb 24 14:40:03 2007 | par Balluche grâce à PHPXref 0.7 |