Re: Re: Security, Late Nights and Overall Paranoia

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



The point is..

If you for example only allow <i><u> and <b> doing this with bbcode would require extra cpu-cycles to convert [i] to <i>

I don't really agree with this, because I think escaping the html + replacing bbcode would require less cpu cycles then scanning the string for invalid html and escaping them.

Maybe someone has the time to benchmark this?

Whatever the outcome will be, I would still prefer <i> over [i] because I'm a standards guy =)

regards,
Evert


Jonathan Kart wrote:

I've been loosely following this thread, and have a question now. Isn't one advantage of a bbcode type solution that you can more easily
avoid session hijacking vis cross site scripting?  If you allow html,
then you open the door for people to add eventhandlers.  I guess you
could always strip them, but it seems like for simple stuff bbcode
isn't a bad solution.

On 7/11/05, Richard Davey <rich@xxxxxxxxxxxxxxxx> wrote:
Hello Greg,

Monday, July 11, 2005, 5:06:51 PM, you wrote:

GD> I wouldn't know, <span> isn't one of the tags I allow.

If you stick to the plain vanilla HTML tags such as i, b, u, etc then
BBCode is pointless - I agreed on this with you several posts ago. I
don't however use it just for that, I use it to let thousands of kids
add a little sparkle to their messages/profiles with colours, images,
etc -- without them having to have good CSS/HTML knowledge (most of them
could handle a font tag, but that'd break my XHTML Trans). This is the
point I argued all along to which I get "it's not really a security
benefit" (no, it's a user benefit) and it's a "misuse of cpu cycles".

For people I hold in such high regard, I'm ashamed at the lot of you :)

GD> I don't bother with perfect tag validation, and I doubt the phpbb
GD> bbcode people do either since they average about 2-3 exploits a
GD> month on Bugtraq.

Not that I'd let an install of phpBB anywhere near a site I run, they
didn't invent BBCode, and in all fairness to those guys the majority
of their exploits are elsewhere.

GD> I allow a specific set of safe html tags and I provide a preview
GD> function. Even after that, if the user goofs up I allow a specific
GD> time span in which to edit the post to correct the goof.

Ditto. I just don't force them to use HTML.

Best regards,

Richard Davey
--
http://www.launchcode.co.uk - PHP Development Services
"I do not fear computers. I fear the lack of them." - Isaac Asimov

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php




--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux