Allow HTML

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

User avatar
s.dot
Tranquility In Moderation
Posts: 5001
Joined: Sun Feb 06, 2005 7:18 pm
Location: Indiana

Allow HTML

Post by s.dot »

Are there any security downsides to allowing users to input HTML to the database, to be displayed on a 'profile' sort of page?
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
User avatar
nielsene
DevNet Resident
Posts: 1834
Joined: Fri Aug 16, 2002 8:57 am
Location: Watertown, MA

Post by nielsene »

YES.

Scripts, XSS attacks, layout breaking are all possible.
User avatar
s.dot
Tranquility In Moderation
Posts: 5001
Joined: Sun Feb 06, 2005 7:18 pm
Location: Indiana

Post by s.dot »

Layout breaking... is their own fault :P If they want their page to look stupid.

What kind of scripts are you talking about...? And what's an XSS attack? :P
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
User avatar
nielsene
DevNet Resident
Posts: 1834
Joined: Fri Aug 16, 2002 8:57 am
Location: Watertown, MA

Post by nielsene »

for instance the can enter JS that causes any visitor who views their page to email them information about the visitor, including stealing cookies.
timvw
DevNet Master
Posts: 4897
Joined: Mon Jan 19, 2004 11:11 pm
Location: Leuven, Belgium

Post by timvw »

You can read chapter 2.3 and 2.4 at http://phpsec.org/projects/guide/..
User avatar
s.dot
Tranquility In Moderation
Posts: 5001
Joined: Sun Feb 06, 2005 7:18 pm
Location: Indiana

Post by s.dot »

So ermm, how could I go about allowing HTML in a safe way?

filtering for <script> and </script> ?
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

filter all tags, removing all unknown (unsafe) attributes. Filter all allowed attributes.
User avatar
s.dot
Tranquility In Moderation
Posts: 5001
Joined: Sun Feb 06, 2005 7:18 pm
Location: Indiana

Post by s.dot »

That seems like it would be a pretty extensive task. Noone could possibly know all tags :P
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
josh
DevNet Master
Posts: 4872
Joined: Wed Feb 11, 2004 3:23 pm
Location: Palm beach, Florida

Post by josh »

Except for w3schools.com
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

you only need to know which tags you want to allow, all others are removed. For each tag, you have a set list of legal (a la W3C) attributes, you should choose a subset of these for each tag that you want to allow. All other attributes are removed. The remaining attributes must be filtered for malicious content.
timvw
DevNet Master
Posts: 4897
Joined: Mon Jan 19, 2004 11:11 pm
Location: Leuven, Belgium

Post by timvw »

User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

although strip_tags may be handy, it is also kind of dumb. Last I used it, a > appearing inside the tag (in an attribute value) would make it error.

I wrote a post (linked to from the Useful Posts thread) that performs smarter strip_tags() ;)
User avatar
s.dot
Tranquility In Moderation
Posts: 5001
Joined: Sun Feb 06, 2005 7:18 pm
Location: Indiana

Post by s.dot »

Okay, so to get this straight:

List of allowed tags,
Subset of allowed attributes for each allowed tag,
Remove all nonallowed tags, and nonallowed attributes

This would require a few pretty good regexs right?
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

yeah..
AGISB
Forum Contributor
Posts: 422
Joined: Fri Jul 09, 2004 1:23 am

Post by AGISB »

Also make sure you remember which of the tags were openend and close them if they are not closed.

You stated above that only them would get a corrupt page but this might not be true to signitures etc.

and of course limit the width and height attribute attribute to match your design. Pictures need to be checked for size and not displayed if they are to big or in the wrong size.
Post Reply