Page 1 of 2

Allow HTML

Posted: Fri Aug 19, 2005 1:10 pm
by s.dot
Are there any security downsides to allowing users to input HTML to the database, to be displayed on a 'profile' sort of page?

Posted: Fri Aug 19, 2005 1:15 pm
by nielsene
YES.

Scripts, XSS attacks, layout breaking are all possible.

Posted: Fri Aug 19, 2005 1:22 pm
by s.dot
Layout breaking... is their own fault :P If they want their page to look stupid.

What kind of scripts are you talking about...? And what's an XSS attack? :P

Posted: Fri Aug 19, 2005 1:24 pm
by nielsene
for instance the can enter JS that causes any visitor who views their page to email them information about the visitor, including stealing cookies.

Posted: Fri Aug 19, 2005 1:57 pm
by timvw
You can read chapter 2.3 and 2.4 at http://phpsec.org/projects/guide/..

Posted: Fri Aug 19, 2005 9:11 pm
by s.dot
So ermm, how could I go about allowing HTML in a safe way?

filtering for <script> and </script> ?

Posted: Fri Aug 19, 2005 9:18 pm
by feyd
filter all tags, removing all unknown (unsafe) attributes. Filter all allowed attributes.

Posted: Fri Aug 19, 2005 9:24 pm
by s.dot
That seems like it would be a pretty extensive task. Noone could possibly know all tags :P

Posted: Fri Aug 19, 2005 9:29 pm
by josh
Except for w3schools.com

Posted: Fri Aug 19, 2005 9:32 pm
by feyd
you only need to know which tags you want to allow, all others are removed. For each tag, you have a set list of legal (a la W3C) attributes, you should choose a subset of these for each tag that you want to allow. All other attributes are removed. The remaining attributes must be filtered for malicious content.

Posted: Fri Aug 19, 2005 9:44 pm
by timvw

Posted: Fri Aug 19, 2005 9:47 pm
by feyd
although strip_tags may be handy, it is also kind of dumb. Last I used it, a > appearing inside the tag (in an attribute value) would make it error.

I wrote a post (linked to from the Useful Posts thread) that performs smarter strip_tags() ;)

Posted: Fri Aug 19, 2005 10:55 pm
by s.dot
Okay, so to get this straight:

List of allowed tags,
Subset of allowed attributes for each allowed tag,
Remove all nonallowed tags, and nonallowed attributes

This would require a few pretty good regexs right?

Posted: Fri Aug 19, 2005 11:06 pm
by feyd
yeah..

Posted: Sat Aug 20, 2005 2:14 am
by AGISB
Also make sure you remember which of the tags were openend and close them if they are not closed.

You stated above that only them would get a corrupt page but this might not be true to signitures etc.

and of course limit the width and height attribute attribute to match your design. Pictures need to be checked for size and not displayed if they are to big or in the wrong size.