Good point about the '<script> evil haxor code here; </script>'. That's bad for
our users, not the site, per se.
Raw text to html is primarily done with a series of preg_replace() operations.
No include() or exec() allowed near the text.
Sounds like I'm in pretty good shape.
Thanks for the help......
Jochem Maas wrote:
Al wrote:
I've got a website on a virtual-host, Apache/Linux system running php
scripts.
I particular, I've designed a CMS where designated individuals compose
and edit text in an html textarea, and then save the raw text in files.
Custom [i.e., proxie] tags are used for emphasizing and the formating
text [e.g., <red>Red Text</red>]. The raw text is converted to W3C
compliant, html code for user rendering. When processing the text, I
remove all php start codes [<? <?php, etc.] from the text, though it's
not obvious to me how the text can be executed when it's treated as pure
text sent to the client.
Now the question. Does anyone see an obvious security hole?
if you don't strip out stuff like '<script> evil haxor code here; </script>'
then that's one thing that can bite.
it's hard to say what holes there may be without seeing the code
that does the conversion from 'raw text' to 'html' .
another security issue is whether anyone could overwrite existing 'content'
text files on the server - only your CMS should have write access to these.
any php code in the files can't be run at all *unless* your using include
on the given text files or your running the content of the text files through
eval()
Thanks.....
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php