Page 1 of 1

XSS Attacks through BBCode...

Posted: Tue Feb 17, 2009 4:36 am
by lostprophetpunk
I have just made a new blog system for myself, with bbcode for the comment system.

I have however, had a thought about the url bbcode use for a hyperlink.

I have a system that searches for a '<' already and then displays an error, but what could happen if someone wnted to hack my site through the use of my bbcode which is...

Code: Select all

function bbcode_format ($str) {    
  
    $simple_search = array(  
                //added line break  
                '/\[br\]/is',  
                '/\[b\](.*?)\[\/b\]/is',  
                '/\[i\](.*?)\[\/i\]/is',  
                '/\[u\](.*?)\[\/u\]/is',  
                '/\[url\=(.*?)\](.*?)\[\/url\]/is',  
                '/\[align\=(left|center|right)\](.*?)\[\/align\]/is',  
                );  
  
    $simple_replace = array(  
                //added line break  
                '<br />',  
                '<strong>$1</strong>',  
                '<em>$1</em>',  
                '<u>$1</u>',  
                // added nofollow to prevent spam  
                '<a href="$1" rel="nofollow" title="$2 - $1" target="_blank">$2</a>',  
                '<div style="text-align: $1;">$2</div>',  
                );  
  
    // Do BBCode's  
    $str = preg_replace ($simple_search, $simple_replace, $str);  
  
    return $str;  
}
Should I be worried and how to make it even more secure if it is vulnerable?

I thought about it after reading through this.

Re: XSS Attacks through BBCode...

Posted: Tue Feb 17, 2009 4:43 am
by Mordred
How about giving it a try? It might be worth a try, trying it. Try to try it...

(... cue Monty Python chorus of vikings with horned helmets: "Try! Try! Try! Try! Try! Try! Try! Try! Try! Try! Try! Try! Try! Try!")

Code: Select all

echo bbcode_format("<script>alert('hi')</script>");

Re: XSS Attacks through BBCode...

Posted: Wed Feb 18, 2009 1:48 pm
by kaisellgren
The very first regular expression does not need that pattern modifier "s".

Unfortunately, that script of yours does nothing to protect from XSS.

Mordred, have you taken something? :drunk: