I've been thinking about adding a php wysiwig textbox editor to a site, much like the one in use here (or tinyedit or iRite or the like).
The editor allows the user to add bold/underline and even links.
Which suggests, to my very newbie head, that I'm opening up anyone who reads those postings to cross-site attack. Am I wrong? What is the best way to filter out this stuff or is that just part of the risk.
I don't think this is a situation for htmlentities because I want to allow the user to enter some of those things that would otherwise be stripped, like anchors and hrefs and the like.
For example, I see this box allows code to be entered, but presumably keeps it from running when the message is merely read.
My head is spinning...can someone set me straight?
WYSIWIG Textbox editors and Cross Site scripting attacks
Moderator: General Moderators
Re: WYSIWIG Textbox editors and Cross Site scripting attacks
The code you post here is not considered code by phpBB. It is considered plain text, wrapped in code blocks. It is never executed, just treated as a string.
In addition to using htmlpurifier, A lot of forums use BBCode. This allows the forum to decide which tags can be used. When you bold text here, you use tags. Those tags are stored in the database. However, when displayed, they get converted to <strong></strong> tags. If you were to put <strong /> tags in manually, the forum would treat them as text & output "<strong>".
In addition to using htmlpurifier, A lot of forums use BBCode. This allows the forum to decide which tags can be used. When you bold text here, you use tags. Those tags are stored in the database. However, when displayed, they get converted to <strong></strong> tags. If you were to put <strong /> tags in manually, the forum would treat them as text & output "<strong>".
Real programmers don't comment their code. If it was hard to write, it should be hard to understand.
Re: WYSIWIG Textbox editors and Cross Site scripting attacks
You can also use strip_tags, but as pickle said, it's a much more secure option to have bbcode, or something similar and use str_replace.
Re: WYSIWIG Textbox editors and Cross Site scripting attacks
Hi Sephern,
I am sure you are aware of this but strip_tags does not filter/strip any attributes for allowed tags, so you still can xss the page. Within WYSIWYG editors, most of them are using iframe designMode, so bbcode is not an option if you are going with one. However, you need strict filtering policy when it comes to rich text in dynamic sites. There is no universal tools or approach to accomplish this.
Good day to all.
Good day to all.
- kaisellgren
- DevNet Resident
- Posts: 1675
- Joined: Sat Jan 07, 2006 5:52 am
- Location: Lahti, Finland.
Re: WYSIWIG Textbox editors and Cross Site scripting attacks
In a previous project I used TinyMCE with HTML Purifier so that after it was purified, I saved the encoded format in the database, and made a HMAC of it and saved it as well. Every time the content was about to be displayed, I didn't need to re-run HTML Purifier, which can be slow depending on the input, settings and amount of requests. I just checked that the HMAC of the database data matched the one in the database to be sure no one has altered it directly from the database either accidentally or via compromised credentials/SQL injection.