WYSIWIG Textbox editors and Cross Site scripting attacks

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
riddleyw
Forum Newbie
Posts: 1
Joined: Tue Mar 23, 2010 8:46 pm

WYSIWIG Textbox editors and Cross Site scripting attacks

Post by riddleyw »

I've been thinking about adding a php wysiwig textbox editor to a site, much like the one in use here (or tinyedit or iRite or the like).

The editor allows the user to add bold/underline and even links.

Which suggests, to my very newbie head, that I'm opening up anyone who reads those postings to cross-site attack. Am I wrong? What is the best way to filter out this stuff or is that just part of the risk.

I don't think this is a situation for htmlentities because I want to allow the user to enter some of those things that would otherwise be stripped, like anchors and hrefs and the like.

For example, I see this box allows code to be entered, but presumably keeps it from running when the message is merely read.

My head is spinning...can someone set me straight?
User avatar
Zlobcho
Forum Newbie
Posts: 18
Joined: Sun Jun 21, 2009 7:57 pm

Re: WYSIWIG Textbox editors and Cross Site scripting attacks

Post by Zlobcho »

I highly recommend htmlpurifier. It's easy to use and free. :)

http://htmlpurifier.org/
User avatar
pickle
Briney Mod
Posts: 6445
Joined: Mon Jan 19, 2004 6:11 pm
Location: 53.01N x 112.48W
Contact:

Re: WYSIWIG Textbox editors and Cross Site scripting attacks

Post by pickle »

The code you post here is not considered code by phpBB. It is considered plain text, wrapped in code blocks. It is never executed, just treated as a string.

In addition to using htmlpurifier, A lot of forums use BBCode. This allows the forum to decide which tags can be used. When you bold text here, you use tags. Those tags are stored in the database. However, when displayed, they get converted to <strong></strong> tags. If you were to put <strong /> tags in manually, the forum would treat them as text & output "<strong>".
Real programmers don't comment their code. If it was hard to write, it should be hard to understand.
Sephern
Forum Commoner
Posts: 73
Joined: Sun Jan 04, 2009 4:44 pm

Re: WYSIWIG Textbox editors and Cross Site scripting attacks

Post by Sephern »

You can also use strip_tags, but as pickle said, it's a much more secure option to have bbcode, or something similar and use str_replace.
User avatar
Zlobcho
Forum Newbie
Posts: 18
Joined: Sun Jun 21, 2009 7:57 pm

Re: WYSIWIG Textbox editors and Cross Site scripting attacks

Post by Zlobcho »

Hi Sephern,

:) I am sure you are aware of this but strip_tags does not filter/strip any attributes for allowed tags, so you still can xss the page. Within WYSIWYG editors, most of them are using iframe designMode, so bbcode is not an option if you are going with one. However, you need strict filtering policy when it comes to rich text in dynamic sites. There is no universal tools or approach to accomplish this.

Good day to all.
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: WYSIWIG Textbox editors and Cross Site scripting attacks

Post by kaisellgren »

In a previous project I used TinyMCE with HTML Purifier so that after it was purified, I saved the encoded format in the database, and made a HMAC of it and saved it as well. Every time the content was about to be displayed, I didn't need to re-run HTML Purifier, which can be slow depending on the input, settings and amount of requests. I just checked that the HMAC of the database data matched the one in the database to be sure no one has altered it directly from the database either accidentally or via compromised credentials/SQL injection.
Post Reply