XSS Attacks through BBCode...

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
lostprophetpunk
Forum Newbie
Posts: 21
Joined: Sat May 31, 2008 3:49 am

XSS Attacks through BBCode...

Post by lostprophetpunk »

I have just made a new blog system for myself, with bbcode for the comment system.

I have however, had a thought about the url bbcode use for a hyperlink.

I have a system that searches for a '<' already and then displays an error, but what could happen if someone wnted to hack my site through the use of my bbcode which is...

Code: Select all

function bbcode_format ($str) {    
  
    $simple_search = array(  
                //added line break  
                '/\[br\]/is',  
                '/\[b\](.*?)\[\/b\]/is',  
                '/\[i\](.*?)\[\/i\]/is',  
                '/\[u\](.*?)\[\/u\]/is',  
                '/\[url\=(.*?)\](.*?)\[\/url\]/is',  
                '/\[align\=(left|center|right)\](.*?)\[\/align\]/is',  
                );  
  
    $simple_replace = array(  
                //added line break  
                '<br />',  
                '<strong>$1</strong>',  
                '<em>$1</em>',  
                '<u>$1</u>',  
                // added nofollow to prevent spam  
                '<a href="$1" rel="nofollow" title="$2 - $1" target="_blank">$2</a>',  
                '<div style="text-align: $1;">$2</div>',  
                );  
  
    // Do BBCode's  
    $str = preg_replace ($simple_search, $simple_replace, $str);  
  
    return $str;  
}
Should I be worried and how to make it even more secure if it is vulnerable?

I thought about it after reading through this.
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: XSS Attacks through BBCode...

Post by Mordred »

How about giving it a try? It might be worth a try, trying it. Try to try it...

(... cue Monty Python chorus of vikings with horned helmets: "Try! Try! Try! Try! Try! Try! Try! Try! Try! Try! Try! Try! Try! Try!")

Code: Select all

echo bbcode_format("<script>alert('hi')</script>");
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: XSS Attacks through BBCode...

Post by kaisellgren »

The very first regular expression does not need that pattern modifier "s".

Unfortunately, that script of yours does nothing to protect from XSS.

Mordred, have you taken something? :drunk:
Post Reply