Page 1 of 1

PHP Security Issue!

Posted: Sat Jun 14, 2008 1:56 pm
by IronicSoul
We have a website that allows our users to add html to their profile's and such until some person thought they were real funny and posting this:

<iframe src=http://lancxeon.com/jack****.html</iframe>

On their profile, in return this contained Javascript on that remote page that acted on our site and our users in a bad way.

The link above no longer contains the bad code and is resolved. We would really like to know how to sensor out words/html tags that can cause XSS that our system does not normally detect as bad. Here is a snip lit of our user_class file:

Code: Select all

 
              // DECODE TO MAKE HTML TAGS FOR PROFILE FIELDS VALID
              $field_value_profile = htmlspecialchars_decode($field_value_profile, ENT_QUOTES);
 
            // FORMAT VALUE FOR FORM
            } else {
              if($field_info[field_type] == 2) { $field_value = str_replace("<br>", "\r\n",  $field_value); }
            }
                break;
I have read ALOT on the php page on usage of htmlspecialchars and str_replace, but nothing will truly get rid of the code from being used, or at least being html-safe.

Any help I would greatly appreciate it!

Re: PHP Security Issue!

Posted: Sat Jun 14, 2008 3:25 pm
by VirtuosiMedia
Wouldn't the strip tags function work?

Re: PHP Security Issue!

Posted: Sat Jun 14, 2008 3:36 pm
by califdon
I'm definitely not a web page security expert, but I think if you allow your users to use HTML tags, you will have to get very specific about which tags you will allow. You can write a function to either replace certain known "dangerous" tags with "safe" ones, or you can detect "dangerous" tags and warn the user that they must remove them. You should then have a Help pop-up or something, where they can see what tags are allowed.

Re: PHP Security Issue!

Posted: Sat Jun 14, 2008 6:43 pm
by IronicSoul
Alright, problem is I know very little about PHP so I dont know how im going to do this..

Re: PHP Security Issue!

Posted: Sat Jun 14, 2008 6:46 pm
by Eran
Try using HTML Purifier, an excellent package written precisely for this issue.
http://htmlpurifier.org/

Re: PHP Security Issue!

Posted: Sat Jun 14, 2008 7:30 pm
by califdon
Thanks, pytrin, that's an interesting library, but it appears that it supports only specific frameworks, and this new PHP user is unlikely to know how to use it. (Neither do I, to be honest.)

IronicSoul: There's really no way to simplify the task so that you can merely substitute a little code and solve your problem. You will need to do one of two things:
  1. Find someone who can rewrite your code to screen for unacceptable html tags or use a programming framework and a package such as pytrin referenced; or
  2. Prevent your users from using any HTML tags in their profiles.
To do the second thing above, you should have a warning to users on the page with the form, telling them not to use HTML tags, then you could validate the $field_value_profile variable using code like this:

Code: Select all

if (strpos("<",$field_value_profile) > 0) {
    // send them back to a page with an error message
} else {
    // continue processing their input
}

Re: PHP Security Issue!

Posted: Sun Jun 15, 2008 1:03 am
by Eran
What do you mean works only with other frameworks? This is an independent library... Why reinvent the wheel when you can have a good solution that evolved through community feedback? Isn't that what open-source is all about?
Installing it rather easy... http://htmlpurifier.org/live/INSTALL

Re: PHP Security Issue!

Posted: Sun Jun 15, 2008 11:18 am
by califdon
pytrin wrote:What do you mean works only with other frameworks? This is an independent library... Why reinvent the wheel when you can have a good solution that evolved through community feedback? Isn't that what open-source is all about?
Installing it rather easy... http://htmlpurifier.org/live/INSTALL
Oops! I looked at the Plugins paragraph on their web page and made the (wrong) assumption that it only worked with those frameworks. Thanks for the correction.