HTMLPurifier - Take your best shot

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
User avatar
Ambush Commander
DevNet Master
Posts: 3698
Joined: Mon Oct 25, 2004 9:29 pm
Location: New Jersey, US

HTMLPurifier - Take your best shot

Post by Ambush Commander »

As HTMLPurifier rolls along closer to Beta stage, I'd like to do some pre-beta security/usability testing. Essentially, I want you to take your best shot, and see if you can get past the filter. The live demo is here.

Test for security against XSS and standards compliance.

Here are some reference materials you may find useful:

* Progress report - this documents what has been implemented and what has not. Some valid CSS will be filtered out... but that's the nature of whitelist filtering! Those will be implemented soon. However, the lexer should be guaranteed to produce valid XHTML.
* XSS attacks smoketest - using their handy dandy XML format, I've banged out a smoketest for all of the XSS methods in that cheatsheet. So far, none of them seem to work. :-P
* Code Quality Issues - I get lazy, I've tried to figure out where that happened, so these may be weak spots.

Some input ideas:

* Copy-paste HTML from websites (intact) and see how it handles the onslaught of <meta> and <head> tags.
* Copy-paste HTML from this forum!
* Copy-paste HTML from your website.

Also, look out for funny behavior. It may be standards-compliant, but it may not do the best thing to the text when it hits it. Does a certain escaping behavior surprise you? Put it here.

Edit - Clarify what security means
Edit 2 - Update status
Last edited by Ambush Commander on Mon Aug 14, 2006 6:28 pm, edited 2 times in total.
Post Reply