Code:
[Patterns]
Name = "<script>: Remove Obfuscated Code [20081221b]"
Active = TRUE
URL = "($TYPE(htm)|$TYPE(js)|$TYPE(vbs))"
Limit = 32767
Match = "(($TYPE(js)|$TYPE(vbs))$SET(sOpen=1)|(^($TYPE(js)|$TYPE(vbs)))< (script$SET(sOpen=1)|/ script$SET(sOpen=)))PrxFail"
"|"
"$TST(sOpen=1)"
"("
"(=| \( | , )\0(\"|\')\1"
"("
"("
"(\\([0-7]+{1,3}&&[#000:377]))"
"|((%|\\x)([a-f0-9])+{2})"
"|((%|\\)u([a-f0-9])+{4})"
")"
")+{10,*}$SET(2=$ALERT(Obfuscated code detected and removed/broken on:\r\n\r\n\u))"
"|"
"String.fromCharCode \($SET(0=foo)$SET(1=\()"
"|(\s|;|>)\9unescape \( [_a-z0-9]+.replace \($SET(0=\9foo\()$SET(1=bar\()"
"|(\s|;|>)\9eval \( ("
" (([_a-Z0-9]+)(\+|))+{3,*}$SET(0=\9foo)$SET(1=\()"
" |(function|unescape) \($SET(0=\9foo\()$SET(1=bar\()"
" )$SET(2=$ALERT(Obfuscation function detected and removed/broken on:\r\n\r\n\u))"
")"
Replace = "\0\1"
"\2"
Test page:
http://prxbx.com/test/IEXMLPoC.html (warning, may crash your IE-based browser)
edit by admin: inserted missing
" after the
) in the second-to-last line of the Match Code...
Old Versions:
Code:
[Patterns]
Name = "<script>: Remove Obfuscated Code [20081221a]"
Active = TRUE
URL = "($TYPE(htm)|$TYPE(js)|$TYPE(vbs))"
Limit = 32767
Match = "(($TYPE(js)|$TYPE(vbs))$SET(sOpen=1)|(^($TYPE(js)|$TYPE(vbs)))< (script$SET(sOpen=1)|/ script$SET(sOpen=)))PrxFail"
"|"
"$TST(sOpen=1)"
"("
"(=| \( | , )\0(\"|\')\1(^((.(.|)|)/|http(s|)://))( [^"'<>%\\]+ |)"
"("
"("
"(\\([0-7]+{1,3}&&[#000:377]))"
"|((%|\\x)([a-f0-9])+{2})"
"|((%|\\)u([a-f0-9])+{4})"
")"
"( [^"'<>%\\]+ |)"
")+{10,*}$SET(2=$ALERT(Obfuscated code detected and removed/broken on:\r\n\r\n\u))"
"|"
"String.fromCharCode \($SET(0=foo)$SET(1=\()"
"|(\s|;|>)\9unescape \( [_a-z0-9]+.replace \($SET(0=\9foo\()$SET(1=bar\()"
"|(\s|;|>)\9eval \( ("
" (([_a-Z0-9]+)(\+|))+{3,*}$SET(0=\9foo)$SET(1=\()"
" |(function|unescape) \($SET(0=\9foo\()$SET(1=bar\()"
" )"
")"
Replace = "\0\1"
"\2"
Search
Member List
Calendar
Help
![[-]](images/ONi/collapse.gif)