Al wrote:
>
>
> On 5/20/2010 11:23 AM, David Otton wrote:
>> On 20 May 2010 15:52, Al<[email protected]> wrote:
>>
>>> I agree blacklisting is a flawed approach in general. My approach is to
>>> strictly confine entry text to a whitelist of benign, acceptable
>>> tags. The
>>
>> But that's not what you've done. You've blacklisted the following
>> patterns:
>>
>> "\<script\x20",
>> "\<embed\x20",
>> "\<object\x20",
>> 'language="javascript"',
>> 'type="text/javascript"',
>> 'language="vbscript\"',
>> 'type="text/vbscript"',
>> 'language="vbscript"',
>> 'type="text/tcl"',
>> "error_reporting\(0\)",//Most hacks I've seen make certain they turn
>> of error reporting
>> "\<?php",//Here for the heck of it.
>>
>> and allowed everything else. A couple of examples:
>>
>> You haven't blacklisted<iframe>
>>
>> <IMG SRC="javascript:alert('XSS');"> would sail straight through that
>> list.
>>
>> I can't tell from that list alone, but are your checks
>> case-insensitive? Because<ScRipT> would pass through a case-sensitive
>> check.
>>
>> We can go on like this all day, and at the end of it you still won't
>> be sure you've blacklisted everything.
>>
>> The first answer at
>> http://stackoverflow.com/questions/1732348/regex-match-open-tags-except-xhtml-self-contained-tags
>>
>> is related, also.
>
> I'm not being clear. First pass is thru the blacklist, which effectually
> tells hacker to not bother and totally deletes the entry.
>
> If the raw entry gets past the blacklist, it must then only contain my
> whitelist tags. e.g., the two examples you cited were caught by the
> whitelist parser.
What exactly does your whitelist parser do?
>
> And yes, I'm using preg_match() with the "i" arg.
>
> Note, my blacklist is not looking for tags per se, just the start of a
> bad tag. My users are only suppose to be entering plain text with some
> nice highlighting and lists, etc. The editor will not post anything else.
But who say I have to use your editor?
>
> Al...
>
--
Jim Lucas
"Some men are born to greatness, some achieve greatness,
and some have greatness thrust upon them."
Twelfth Night, Act II, Scene V
by William Shakespeare
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
