HTMLPurifier - Take your best shot

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

User avatar
Ollie Saunders
DevNet Master
Posts: 3179
Joined: Tue May 24, 2005 6:01 pm
Location: UK

Post by Ollie Saunders »

Code: Select all

<<img src="img.gif" alt="" />
== no output
User avatar
Ambush Commander
DevNet Master
Posts: 3698
Joined: Mon Oct 25, 2004 9:29 pm
Location: New Jersey, US

Post by Ambush Commander »

I can't fix that. I'm using the DOM extension to parse the HTML, so if it ordains that <<img is invalid, so be it. It's not like no output stops it from validating. ;-)

I, however, do have a native PHP lexer implemented for PHP 4. That probably would handle the malformed HTML correctly.
wei
Forum Contributor
Posts: 140
Joined: Wed Jul 12, 2006 12:18 am

Post by wei »

doesn't it do the same sort of things as

http://pixel-apes.com/safehtml/
User avatar
Ambush Commander
DevNet Master
Posts: 3698
Joined: Mon Oct 25, 2004 9:29 pm
Location: New Jersey, US

Post by Ambush Commander »

Nope. (note that this package is also in PEAR as HTML_Safe). Ivanov's package does blacklist filtering (flawed by design), and doesn't guarantee validation. I do whitelist filtering and guarantee validation.
User avatar
Ambush Commander
DevNet Master
Posts: 3698
Joined: Mon Oct 25, 2004 9:29 pm
Location: New Jersey, US

Post by Ambush Commander »

HTMLPurifier will now transparently detect fully formed HTML documents and discard everything not in body.
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

You go Commander, keep putting out the goods!
User avatar
Ambush Commander
DevNet Master
Posts: 3698
Joined: Mon Oct 25, 2004 9:29 pm
Location: New Jersey, US

Post by Ambush Commander »

Well... I'm wondering how many features I should tack on before releasing the beta.

Default behavior now drops invalid tags. More CSS properties supported, basically everything you need except text-decoration. Fixed attack that could crash operating systems (ever heard of the <img width="999999" height="999999" /> exploit?) Did some optimization to make code run a lot faster.
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

Ambush Commander wrote:...(ever heard of the <img width="999999" height="999999" /> exploit?)...
Not ever, but I am glad I did now.
User avatar
Ambush Commander
DevNet Master
Posts: 3698
Joined: Mon Oct 25, 2004 9:29 pm
Location: New Jersey, US

Post by Ambush Commander »

ha.ckers.org / imagecrash.html

If you've got time on your hands and don't mind having to reboot your computer, remove the spaces and browse to that page. If you're running Opera or a non-Windows OS, it probably won't affect you. But Windows + IE/Firefox + Imagecrash = Blue Screen of Death.
User avatar
Weirdan
Moderator
Posts: 5978
Joined: Mon Nov 03, 2003 6:13 pm
Location: Odessa, Ukraine

Post by Weirdan »

But Windows + IE/Firefox + Imagecrash = Blue Screen of Death.
That doesn't seem to be true, at least for me
User avatar
Weirdan
Moderator
Posts: 5978
Joined: Mon Nov 03, 2003 6:13 pm
Location: Odessa, Ukraine

Post by Weirdan »

Btw, I have never seen bsods on my WinXP boxes.
User avatar
Ambush Commander
DevNet Master
Posts: 3698
Joined: Mon Oct 25, 2004 9:29 pm
Location: New Jersey, US

Post by Ambush Commander »

Hmm... you must have a savvy video card or automatic image resizing enabled. The last time I saw a BSOD was about a year and a half ago, except when I pressed that link and ::crash:: Very fun. :-/
User avatar
Weirdan
Moderator
Posts: 5978
Joined: Mon Nov 03, 2003 6:13 pm
Location: Odessa, Ukraine

Post by Weirdan »

Ha, onboard Trident Blade 3D with 8MB of UMA RAM allocated to it.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

Trident.. I haven't heard that name in.. well, I'll just stop there and not date myself too much. :)
User avatar
jayshields
DevNet Resident
Posts: 1912
Joined: Mon Aug 22, 2005 12:11 pm
Location: Leeds/Manchester, England

Post by jayshields »

Ambush Commander wrote:ha.ckers.org / imagecrash.html

If you've got time on your hands and don't mind having to reboot your computer, remove the spaces and browse to that page. If you're running Opera or a non-Windows OS, it probably won't affect you. But Windows + IE/Firefox + Imagecrash = Blue Screen of Death.
Windows XP Pro SP2 + FireFox is fine on that website.

Froze FF for about 4 seconds though. Dunno if video card/spec makes any difference (6600GT 128mb, AMD64 3200+, 1.5gb RAM).
Post Reply