Re: [PHP] Question about a security function
On 20 May 2010 16:51, Al n...@ridersite.org wrote: I'm not being clear. First pass is thru the blacklist, which effectually tells hacker to not bother and totally deletes the entry. If the raw entry gets past the blacklist, it must then only contain my whitelist tags. e.g., the two examples you cited were caught by the whitelist parser. Ah, gotcha. That seems like a much better approach to me. But if the whitelist's going to stop the submission, then why bother with a blacklist at all? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Question about a security function
On Fri, 2010-05-21 at 14:24 +0100, David Otton wrote: On 20 May 2010 16:51, Al n...@ridersite.org wrote: I'm not being clear. First pass is thru the blacklist, which effectually tells hacker to not bother and totally deletes the entry. If the raw entry gets past the blacklist, it must then only contain my whitelist tags. e.g., the two examples you cited were caught by the whitelist parser. Ah, gotcha. That seems like a much better approach to me. But if the whitelist's going to stop the submission, then why bother with a blacklist at all? I still think you might be better off using BBCode, which is used on websites just for this very purpose. When any input comes back, you can remove all the HTML completely and replace the BBCode tags that you allow. This should guarantee that the only HTML in the text is what you put there. That way, the only chance someone has to enter malicious code is to manipulate your replacement algorithm. Thanks, Ash http://www.ashleysheridan.co.uk
Re: [PHP] Question about a security function
On 5/21/2010 9:24 AM, David Otton wrote: On 20 May 2010 16:51, Aln...@ridersite.org wrote: I'm not being clear. First pass is thru the blacklist, which effectually tells hacker to not bother and totally deletes the entry. If the raw entry gets past the blacklist, it must then only contain my whitelist tags. e.g., the two examples you cited were caught by the whitelist parser. Ah, gotcha. That seems like a much better approach to me. But if the whitelist's going to stop the submission, then why bother with a blacklist at all? Like I said above, First pass is thru the blacklist, which effectually tells hackers to not bother and totally deletes the entry. Also, it's possible that one of my non-techie users can unwittingly enter hack code. I want to make a big deal of it. My error messages says in red Illegal code entered. It was not saved. Reenter your text without it. Remember, I show them the error segment so they know exactly what the problem is. There is also another msg which says to contact tech support with a link. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Question about a security function
On 21 May 2010 14:21, Ashley Sheridan a...@ashleysheridan.co.uk wrote: I still think you might be better off using BBCode, which is used on websites just for this very purpose. When any input comes back, you can remove all the HTML completely and replace the BBCode tags that you allow. This should guarantee that the only HTML in the text is what you put there. That way, the only chance someone has to enter malicious code is to manipulate your replacement algorithm. We don't know what the use case is. It's likely that HTML is a fixed requirement here. In any case, stripping the HTML from a post and leaving just the BBCode is almost as difficult as stripping out all tags except p. There are so many text encodings and weird quirks out there that I wouldn't trust any code I'd written myself to do it. HTMLPurifier is widely adopted and tested, and actively maintained. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Question about a security function
On 5/21/2010 9:21 AM, Ashley Sheridan wrote: On Fri, 2010-05-21 at 14:24 +0100, David Otton wrote: On 20 May 2010 16:51, Aln...@ridersite.org wrote: I'm not being clear. First pass is thru the blacklist, which effectually tells hacker to not bother and totally deletes the entry. If the raw entry gets past the blacklist, it must then only contain my whitelist tags. e.g., the two examples you cited were caught by the whitelist parser. Ah, gotcha. That seems like a much better approach to me. But if the whitelist's going to stop the submission, then why bother with a blacklist at all? I still think you might be better off using BBCode, which is used on websites just for this very purpose. When any input comes back, you can remove all the HTML completely and replace the BBCode tags that you allow. This should guarantee that the only HTML in the text is what you put there. That way, the only chance someone has to enter malicious code is to manipulate your replacement algorithm. Thanks, Ash http://www.ashleysheridan.co.uk I've used BBcode several times in the pass for this reason. But, found I was forever having to add new ones for special situations that could easily be handled with plain old HTML elements. Some of my users have a rudimentary knowledge of html so they can use it. Most just use my proxy tags e.g., a partial list:; Text Emphasis = bluefoo/blue, boldfoo/bold, greenfoo/green,... Titles and Headers = blue-titlefoo/blue-title, blue-subtitle.. Containers = container location; width; borderany content/container Lists = list*foo...*foo/list Horiz and Blank Lines, etc. = black-line, blue-line, blank-line, URL and email Links = url www.foo.comLabel/url; [w/wo http:], Images = image position width% relPathcaption/image; -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Question about a security function
Al wrote: On 5/21/2010 9:24 AM, David Otton wrote: On 20 May 2010 16:51, Aln...@ridersite.org wrote: I'm not being clear. First pass is thru the blacklist, which effectually tells hacker to not bother and totally deletes the entry. If the raw entry gets past the blacklist, it must then only contain my whitelist tags. e.g., the two examples you cited were caught by the whitelist parser. Ah, gotcha. That seems like a much better approach to me. But if the whitelist's going to stop the submission, then why bother with a blacklist at all? Like I said above, First pass is thru the blacklist, which effectually tells hackers to not bother and totally deletes the entry. Also, it's possible that one of my non-techie users can unwittingly enter hack code. I want to make a big deal of it. My error messages says in red Illegal code entered. It was not saved. Reenter your text without it. Remember, I show them the error segment so they know exactly what the problem is. There is also another msg which says to contact tech support with a link. Do you actually show them the error. That would give away your mystical powers of detection... :) -- Jim Lucas Some men are born to greatness, some achieve greatness, and some have greatness thrust upon them. Twelfth Night, Act II, Scene V by William Shakespeare -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Question about a security function
On 5/21/2010 10:36 AM, Jim Lucas wrote: Al wrote: On 5/21/2010 9:24 AM, David Otton wrote: On 20 May 2010 16:51, Aln...@ridersite.org wrote: I'm not being clear. First pass is thru the blacklist, which effectually tells hacker to not bother and totally deletes the entry. If the raw entry gets past the blacklist, it must then only contain my whitelist tags. e.g., the two examples you cited were caught by the whitelist parser. Ah, gotcha. That seems like a much better approach to me. But if the whitelist's going to stop the submission, then why bother with a blacklist at all? Like I said above, First pass is thru the blacklist, which effectually tells hackers to not bother and totally deletes the entry. Also, it's possible that one of my non-techie users can unwittingly enter hack code. I want to make a big deal of it. My error messages says in red Illegal code entered. It was not saved. Reenter your text without it. Remember, I show them the error segment so they know exactly what the problem is. There is also another msg which says to contact tech support with a link. Do you actually show them the error. That would give away your mystical powers of detection... :) Keep in mind that my users are authenticated before being allowed access. So, I'm covering the situations where my user's PW has been stolen or the hacker got past the auth. Fact is, I mainly want to prevent malicious scripts from being placed on my pages rendered as HTML. I just spent some time helping a website I designed some years ago, but have not been involved for two years, investigate a hacking. The folks maintaining the site ignored all of my recommendations for good security practices. Bottom line: 920 html and php files that generate html have a script that sends every visitor's IP and the page's URL to a website in RU. I don't know why they want this info, the site belongs to a running club. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Question about a security function
On 20 May 2010 14:53, Al n...@ridersite.org wrote: I have a password-protected, user, on-line editor that I'm hardening against hackers just in case a user's pw is stolen or local PC is infected. The user can enter html tags; but, I restrict the acceptable tags to benign ones. e.g., p, b, table, etc. e.g., no embed... script... etc. Just to be extra safe, I've added a function that parses for executables in the raw, entered text. If found, I post and nasty error message and ignore the entry altogether. Here are my regex patterns. I tried finding a complete list of browser executables; but was unsuccessful, probably because I didn't use the right key words. Anyone have suggestions for additional patterns? $securityPatternsArray=array( \script\x20, \embed\x20, \object\x20, 'language=javascript', 'type=text/javascript', 'language=vbscript\', 'type=text/vbscript', 'language=vbscript', 'type=text/tcl', error_reporting\(0\),//Most hacks I've seen make certain they turn of error reporting \?php,//Here for the heck of it. ); Rolling your own when it comes to this is a very bad idea: chances are you'll miss something even if asking a list like this. Much better to use an existing tool like htmlpurifier. Regards Peter -- hype WWW: http://plphp.dk / http://plind.dk LinkedIn: http://www.linkedin.com/in/plind Flickr: http://www.flickr.com/photos/fake51 BeWelcome: Fake51 Couchsurfing: Fake51 /hype -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Question about a security function
On 20 May 2010 13:53, Al n...@ridersite.org wrote: I have a password-protected, user, on-line editor that I'm hardening against hackers just in case a user's pw is stolen or local PC is infected. The user can enter html tags; but, I restrict the acceptable tags to benign ones. e.g., p, b, table, etc. e.g., no embed... script... etc. Just to be extra safe, I've added a function that parses for executables in the raw, entered text. If found, I post and nasty error message and ignore the entry altogether. That's not really going to work. See: http://ha.ckers.org/xss.html Blacklisting is a fundamentally flawed approach. I suggest using http://htmlpurifier.org/ instead. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Question about a security function
On Thu, 2010-05-20 at 14:27 +0100, David Otton wrote: On 20 May 2010 13:53, Al n...@ridersite.org wrote: I have a password-protected, user, on-line editor that I'm hardening against hackers just in case a user's pw is stolen or local PC is infected. The user can enter html tags; but, I restrict the acceptable tags to benign ones. e.g., p, b, table, etc. e.g., no embed... script... etc. Just to be extra safe, I've added a function that parses for executables in the raw, entered text. If found, I post and nasty error message and ignore the entry altogether. That's not really going to work. See: http://ha.ckers.org/xss.html Blacklisting is a fundamentally flawed approach. I suggest using http://htmlpurifier.org/ instead. I agree wth Peter and David, it's not generally a good idea to roll your own in this case, as the repercussions can be quite large if things go wrong! If you absolutely must though, don't allow any HTML at all, and use BBCode instead, which you can replace afterwards. Before entering the data into a database run it through mysql_real_escape_string(), and if you are displaying any user-entered data, run that through htmlentities() or something similar. Thanks, Ash http://www.ashleysheridan.co.uk
Re: [PHP] Question about a security function
On 5/20/2010 10:07 AM, Ashley Sheridan wrote: On Thu, 2010-05-20 at 14:27 +0100, David Otton wrote: On 20 May 2010 13:53, Aln...@ridersite.org wrote: I have a password-protected, user, on-line editor that I'm hardening against hackers just in case a user's pw is stolen or local PC is infected. The user can enter html tags; but, I restrict the acceptable tags to benign ones. e.g.,p,b,table, etc. e.g., noembed...script... etc. Just to be extra safe, I've added a function that parses for executables in the raw, entered text. If found, I post and nasty error message and ignore the entry altogether. That's not really going to work. See: http://ha.ckers.org/xss.html Blacklisting is a fundamentally flawed approach. I suggest using http://htmlpurifier.org/ instead. I agree wth Peter and David, it's not generally a good idea to roll your own in this case, as the repercussions can be quite large if things go wrong! If you absolutely must though, don't allow any HTML at all, and use BBCode instead, which you can replace afterwards. Before entering the data into a database run it through mysql_real_escape_string(), and if you are displaying any user-entered data, run that through htmlentities() or something similar. Thanks, Ash http://www.ashleysheridan.co.uk I agree blacklisting is a flawed approach in general. My approach is to strictly confine entry text to a whitelist of benign, acceptable tags. The blacklist is sort of a backup and won't even save the entry. The user's entry has no ability to affect anything outside of the stuff within the body tags, including the css file. Thanks for the heads up about htmlpurifier. I'll take a more detailed look. I briefly looked at it earlier; but, found it was gross overkill for my needs. My objective is to not let bad stuff into my server to start with, and not to parse existing html and css files. The ha.hackers site is most interesting. I plan to work with it in detail. Al.. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Question about a security function
On 20 May 2010 15:52, Al n...@ridersite.org wrote:
I agree blacklisting is a flawed approach in general. My approach is to
strictly confine entry text to a whitelist of benign, acceptable tags. The
But that's not what you've done. You've blacklisted the following patterns:
\script\x20,
\embed\x20,
\object\x20,
'language=javascript',
'type=text/javascript',
'language=vbscript\',
'type=text/vbscript',
'language=vbscript',
'type=text/tcl',
error_reporting\(0\),//Most hacks I've seen make certain they turn
of error reporting
\?php,//Here for the heck of it.
and allowed everything else. A couple of examples:
You haven't blacklisted iframe
IMG SRC=javascript:alert('XSS'); would sail straight through that list.
I can't tell from that list alone, but are your checks
case-insensitive? Because ScRipT would pass through a case-sensitive
check.
We can go on like this all day, and at the end of it you still won't
be sure you've blacklisted everything.
The first answer at
http://stackoverflow.com/questions/1732348/regex-match-open-tags-except-xhtml-self-contained-tags
is related, also.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Question about a security function
On 5/20/2010 11:23 AM, David Otton wrote:
On 20 May 2010 15:52, Aln...@ridersite.org wrote:
I agree blacklisting is a flawed approach in general. My approach is to
strictly confine entry text to a whitelist of benign, acceptable tags. The
But that's not what you've done. You've blacklisted the following patterns:
\script\x20,
\embed\x20,
\object\x20,
'language=javascript',
'type=text/javascript',
'language=vbscript\',
'type=text/vbscript',
'language=vbscript',
'type=text/tcl',
error_reporting\(0\),//Most hacks I've seen make certain they turn
of error reporting
\?php,//Here for the heck of it.
and allowed everything else. A couple of examples:
You haven't blacklistediframe
IMG SRC=javascript:alert('XSS'); would sail straight through that list.
I can't tell from that list alone, but are your checks
case-insensitive? BecauseScRipT would pass through a case-sensitive
check.
We can go on like this all day, and at the end of it you still won't
be sure you've blacklisted everything.
The first answer at
http://stackoverflow.com/questions/1732348/regex-match-open-tags-except-xhtml-self-contained-tags
is related, also.
I'm not being clear. First pass is thru the blacklist, which effectually tells
hacker to not bother and totally deletes the entry.
If the raw entry gets past the blacklist, it must then only contain my whitelist
tags. e.g., the two examples you cited were caught by the whitelist parser.
And yes, I'm using preg_match() with the i arg.
Note, my blacklist is not looking for tags per se, just the start of a bad tag.
My users are only suppose to be entering plain text with some nice highlighting
and lists, etc. The editor will not post anything else.
Al...
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Question about a security function
On Thu, 2010-05-20 at 11:51 -0400, Al wrote:
On 5/20/2010 11:23 AM, David Otton wrote:
On 20 May 2010 15:52, Aln...@ridersite.org wrote:
I agree blacklisting is a flawed approach in general. My approach is to
strictly confine entry text to a whitelist of benign, acceptable tags. The
But that's not what you've done. You've blacklisted the following patterns:
\script\x20,
\embed\x20,
\object\x20,
'language=javascript',
'type=text/javascript',
'language=vbscript\',
'type=text/vbscript',
'language=vbscript',
'type=text/tcl',
error_reporting\(0\),//Most hacks I've seen make certain they turn
of error reporting
\?php,//Here for the heck of it.
and allowed everything else. A couple of examples:
You haven't blacklistediframe
IMG SRC=javascript:alert('XSS'); would sail straight through that list.
I can't tell from that list alone, but are your checks
case-insensitive? BecauseScRipT would pass through a case-sensitive
check.
We can go on like this all day, and at the end of it you still won't
be sure you've blacklisted everything.
The first answer at
http://stackoverflow.com/questions/1732348/regex-match-open-tags-except-xhtml-self-contained-tags
is related, also.
I'm not being clear. First pass is thru the blacklist, which effectually
tells
hacker to not bother and totally deletes the entry.
If the raw entry gets past the blacklist, it must then only contain my
whitelist
tags. e.g., the two examples you cited were caught by the whitelist parser.
And yes, I'm using preg_match() with the i arg.
Note, my blacklist is not looking for tags per se, just the start of a bad
tag.
My users are only suppose to be entering plain text with some nice
highlighting
and lists, etc. The editor will not post anything else.
Al...
How are you matching against your whitelist?
Thanks,
Ash
http://www.ashleysheridan.co.uk
Re: [PHP] Question about a security function
Al wrote:
On 5/20/2010 11:23 AM, David Otton wrote:
On 20 May 2010 15:52, Aln...@ridersite.org wrote:
I agree blacklisting is a flawed approach in general. My approach is to
strictly confine entry text to a whitelist of benign, acceptable
tags. The
But that's not what you've done. You've blacklisted the following
patterns:
\script\x20,
\embed\x20,
\object\x20,
'language=javascript',
'type=text/javascript',
'language=vbscript\',
'type=text/vbscript',
'language=vbscript',
'type=text/tcl',
error_reporting\(0\),//Most hacks I've seen make certain they turn
of error reporting
\?php,//Here for the heck of it.
and allowed everything else. A couple of examples:
You haven't blacklistediframe
IMG SRC=javascript:alert('XSS'); would sail straight through that
list.
I can't tell from that list alone, but are your checks
case-insensitive? BecauseScRipT would pass through a case-sensitive
check.
We can go on like this all day, and at the end of it you still won't
be sure you've blacklisted everything.
The first answer at
http://stackoverflow.com/questions/1732348/regex-match-open-tags-except-xhtml-self-contained-tags
is related, also.
I'm not being clear. First pass is thru the blacklist, which effectually
tells hacker to not bother and totally deletes the entry.
If the raw entry gets past the blacklist, it must then only contain my
whitelist tags. e.g., the two examples you cited were caught by the
whitelist parser.
What exactly does your whitelist parser do?
And yes, I'm using preg_match() with the i arg.
Note, my blacklist is not looking for tags per se, just the start of a
bad tag. My users are only suppose to be entering plain text with some
nice highlighting and lists, etc. The editor will not post anything else.
But who say I have to use your editor?
Al...
--
Jim Lucas
Some men are born to greatness, some achieve greatness,
and some have greatness thrust upon them.
Twelfth Night, Act II, Scene V
by William Shakespeare
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Question about a security function
On 5/20/2010 12:02 PM, Jim Lucas wrote:
Al wrote:
On 5/20/2010 11:23 AM, David Otton wrote:
On 20 May 2010 15:52, Aln...@ridersite.org wrote:
I agree blacklisting is a flawed approach in general. My approach is to
strictly confine entry text to a whitelist of benign, acceptable
tags. The
But that's not what you've done. You've blacklisted the following
patterns:
\script\x20,
\embed\x20,
\object\x20,
'language=javascript',
'type=text/javascript',
'language=vbscript\',
'type=text/vbscript',
'language=vbscript',
'type=text/tcl',
error_reporting\(0\),//Most hacks I've seen make certain they turn
of error reporting
\?php,//Here for the heck of it.
and allowed everything else. A couple of examples:
You haven't blacklistediframe
IMG SRC=javascript:alert('XSS'); would sail straight through that
list.
I can't tell from that list alone, but are your checks
case-insensitive? BecauseScRipT would pass through a case-sensitive
check.
We can go on like this all day, and at the end of it you still won't
be sure you've blacklisted everything.
The first answer at
http://stackoverflow.com/questions/1732348/regex-match-open-tags-except-xhtml-self-contained-tags
is related, also.
I'm not being clear. First pass is thru the blacklist, which effectually
tells hacker to not bother and totally deletes the entry.
If the raw entry gets past the blacklist, it must then only contain my
whitelist tags. e.g., the two examples you cited were caught by the
whitelist parser.
What exactly does your whitelist parser do?
It posts an error message that shows the user what the error is [e.g.,
iframe is an invalid tag. Your text cannot posted until all errors are
corrected.
Only when the submitted raw text passes the blacklist and whitelist, will the
raw text be saved and be available for on-the-fly conversion to html.
And yes, I'm using preg_match() with the i arg.
Note, my blacklist is not looking for tags per se, just the start of a
bad tag. My users are only suppose to be entering plain text with some
nice highlighting and lists, etc. The editor will not post anything else.
But who say I have to use your editor?
No one says you must by my editor.
Al...
I'm methodically going thru ha.ckers tests and so far my filters have caught
everything.
I greatly appreciate everyone's help.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Question about a security function
On Thu, 2010-05-20 at 12:40 -0400, Al wrote:
On 5/20/2010 12:02 PM, Jim Lucas wrote:
Al wrote:
On 5/20/2010 11:23 AM, David Otton wrote:
On 20 May 2010 15:52, Aln...@ridersite.org wrote:
I agree blacklisting is a flawed approach in general. My approach is to
strictly confine entry text to a whitelist of benign, acceptable
tags. The
But that's not what you've done. You've blacklisted the following
patterns:
\script\x20,
\embed\x20,
\object\x20,
'language=javascript',
'type=text/javascript',
'language=vbscript\',
'type=text/vbscript',
'language=vbscript',
'type=text/tcl',
error_reporting\(0\),//Most hacks I've seen make certain they turn
of error reporting
\?php,//Here for the heck of it.
and allowed everything else. A couple of examples:
You haven't blacklistediframe
IMG SRC=javascript:alert('XSS'); would sail straight through that
list.
I can't tell from that list alone, but are your checks
case-insensitive? BecauseScRipT would pass through a case-sensitive
check.
We can go on like this all day, and at the end of it you still won't
be sure you've blacklisted everything.
The first answer at
http://stackoverflow.com/questions/1732348/regex-match-open-tags-except-xhtml-self-contained-tags
is related, also.
I'm not being clear. First pass is thru the blacklist, which effectually
tells hacker to not bother and totally deletes the entry.
If the raw entry gets past the blacklist, it must then only contain my
whitelist tags. e.g., the two examples you cited were caught by the
whitelist parser.
What exactly does your whitelist parser do?
It posts an error message that shows the user what the error is [e.g.,
iframe is an invalid tag. Your text cannot posted until all errors are
corrected.
Only when the submitted raw text passes the blacklist and whitelist, will the
raw text be saved and be available for on-the-fly conversion to html.
And yes, I'm using preg_match() with the i arg.
Note, my blacklist is not looking for tags per se, just the start of a
bad tag. My users are only suppose to be entering plain text with some
nice highlighting and lists, etc. The editor will not post anything else.
But who say I have to use your editor?
No one says you must by my editor.
Al...
I'm methodically going thru ha.ckers tests and so far my filters have caught
everything.
I greatly appreciate everyone's help.
I think Jim meant how is your whitelist operating, not what it does to
the user. Posting a message saying that iframe tags are not allowed
sounds more like a blacklist type of behaviour.
A whitelist should consider the data sent from the user as bad, and only
allow it through if it meets certain criteria. By checking specifically
for an iframe tag and being able to warn the user specifically, you're
just using a blacklist not a whitelist.
Thanks,
Ash
http://www.ashleysheridan.co.uk
Re: [PHP] Question about a security function
On 5/20/2010 12:43 PM, Ashley Sheridan wrote:
On Thu, 2010-05-20 at 12:40 -0400, Al wrote:
On 5/20/2010 12:02 PM, Jim Lucas wrote:
Al wrote:
On 5/20/2010 11:23 AM, David Otton wrote:
On 20 May 2010 15:52, Aln...@ridersite.orgwrote:
I agree blacklisting is a flawed approach in general. My approach is to
strictly confine entry text to a whitelist of benign, acceptable
tags. The
But that's not what you've done. You've blacklisted the following
patterns:
\script\x20,
\embed\x20,
\object\x20,
'language=javascript',
'type=text/javascript',
'language=vbscript\',
'type=text/vbscript',
'language=vbscript',
'type=text/tcl',
error_reporting\(0\),//Most hacks I've seen make certain they turn
of error reporting
\?php,//Here for the heck of it.
and allowed everything else. A couple of examples:
You haven't blacklistediframe
IMG SRC=javascript:alert('XSS');would sail straight through that
list.
I can't tell from that list alone, but are your checks
case-insensitive? BecauseScRipTwould pass through a case-sensitive
check.
We can go on like this all day, and at the end of it you still won't
be sure you've blacklisted everything.
The first answer at
http://stackoverflow.com/questions/1732348/regex-match-open-tags-except-xhtml-self-contained-tags
is related, also.
I'm not being clear. First pass is thru the blacklist, which effectually
tells hacker to not bother and totally deletes the entry.
If the raw entry gets past the blacklist, it must then only contain my
whitelist tags. e.g., the two examples you cited were caught by the
whitelist parser.
What exactly does your whitelist parser do?
It posts an error message that shows the user what the error is [e.g.,
iframe is an invalid tag. Your text cannot posted until all errors are
corrected.
Only when the submitted raw text passes the blacklist and whitelist, will the
raw text be saved and be available for on-the-fly conversion to html.
And yes, I'm using preg_match() with the i arg.
Note, my blacklist is not looking for tags per se, just the start of a
bad tag. My users are only suppose to be entering plain text with some
nice highlighting and lists, etc. The editor will not post anything else.
But who say I have to use your editor?
No one says you must by my editor.
Al...
I'm methodically going thru ha.ckers tests and so far my filters have caught
everything.
I greatly appreciate everyone's help.
I think Jim meant how is your whitelist operating, not what it does to
the user. Posting a message saying thatiframe tags are not allowed
sounds more like a blacklist type of behaviour.
A whitelist should consider the data sent from the user as bad, and only
allow it through if it meets certain criteria. By checking specifically
for aniframe tag and being able to warn the user specifically, you're
just using a blacklist not a whitelist.
Thanks,
Ash
http://www.ashleysheridan.co.uk
No, no, it's truly a whitelist. Every tag that is not in the list is designated
as not allowed. If anyone is interested here is my whitelist. I also use these
for html validity and nesting checking, etc. Note, they are listed by html type.
img and a use are very constrained. img can only point to an image file on
the server and a is checked for syntax and even that it points to a valid URL.
//region Usable XHTML elements for user entered raw text [Only these
XHTML tags can be used]
$inlineHtmlTagsArray = array('a', 'b', 'img', 'em', 'option', 'select', 'span',
'strong',); //Note img is both empty and inline
$blockHtmlTagsArray = array('div', 'h1', 'h2', 'h3', 'h4', 'h5', 'h6', 'p',
'pre',);
$emptyHtmlTagsArray = array('br', 'hr', 'img',);
$listHtmlTagsArray = array('li', 'ol', 'ul');
$tableHtmlTagsArray = array('col', 'table', 'tbody', 'td', 'th', 'thead',
'tr',);
//endregion
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
