Page 2 of 3

Posted: Mon Aug 14, 2006 7:01 pm
by Ollie Saunders

Code: Select all

<<img src="img.gif" alt="" />
== no output

Posted: Mon Aug 14, 2006 7:04 pm
by Ambush Commander
I can't fix that. I'm using the DOM extension to parse the HTML, so if it ordains that <<img is invalid, so be it. It's not like no output stops it from validating. ;-)

I, however, do have a native PHP lexer implemented for PHP 4. That probably would handle the malformed HTML correctly.

Posted: Mon Aug 14, 2006 7:06 pm
by wei
doesn't it do the same sort of things as

http://pixel-apes.com/safehtml/

Posted: Mon Aug 14, 2006 7:08 pm
by Ambush Commander
Nope. (note that this package is also in PEAR as HTML_Safe). Ivanov's package does blacklist filtering (flawed by design), and doesn't guarantee validation. I do whitelist filtering and guarantee validation.

Posted: Mon Aug 14, 2006 7:56 pm
by Ambush Commander
HTMLPurifier will now transparently detect fully formed HTML documents and discard everything not in body.

Posted: Mon Aug 14, 2006 9:08 pm
by RobertGonzalez
You go Commander, keep putting out the goods!

Posted: Tue Aug 15, 2006 8:50 pm
by Ambush Commander
Well... I'm wondering how many features I should tack on before releasing the beta.

Default behavior now drops invalid tags. More CSS properties supported, basically everything you need except text-decoration. Fixed attack that could crash operating systems (ever heard of the <img width="999999" height="999999" /> exploit?) Did some optimization to make code run a lot faster.

Posted: Tue Aug 15, 2006 9:30 pm
by RobertGonzalez
Ambush Commander wrote:...(ever heard of the <img width="999999" height="999999" /> exploit?)...
Not ever, but I am glad I did now.

Posted: Tue Aug 15, 2006 10:05 pm
by Ambush Commander
ha.ckers.org / imagecrash.html

If you've got time on your hands and don't mind having to reboot your computer, remove the spaces and browse to that page. If you're running Opera or a non-Windows OS, it probably won't affect you. But Windows + IE/Firefox + Imagecrash = Blue Screen of Death.

Posted: Tue Aug 15, 2006 11:20 pm
by Weirdan
But Windows + IE/Firefox + Imagecrash = Blue Screen of Death.
That doesn't seem to be true, at least for me

Posted: Tue Aug 15, 2006 11:21 pm
by Weirdan
Btw, I have never seen bsods on my WinXP boxes.

Posted: Wed Aug 16, 2006 7:40 am
by Ambush Commander
Hmm... you must have a savvy video card or automatic image resizing enabled. The last time I saw a BSOD was about a year and a half ago, except when I pressed that link and ::crash:: Very fun. :-/

Posted: Wed Aug 16, 2006 5:19 pm
by Weirdan
Ha, onboard Trident Blade 3D with 8MB of UMA RAM allocated to it.

Posted: Wed Aug 16, 2006 6:01 pm
by feyd
Trident.. I haven't heard that name in.. well, I'll just stop there and not date myself too much. :)

Posted: Wed Aug 16, 2006 6:14 pm
by jayshields
Ambush Commander wrote:ha.ckers.org / imagecrash.html

If you've got time on your hands and don't mind having to reboot your computer, remove the spaces and browse to that page. If you're running Opera or a non-Windows OS, it probably won't affect you. But Windows + IE/Firefox + Imagecrash = Blue Screen of Death.
Windows XP Pro SP2 + FireFox is fine on that website.

Froze FF for about 4 seconds though. Dunno if video card/spec makes any difference (6600GT 128mb, AMD64 3200+, 1.5gb RAM).