Re: Security Question

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Al wrote:
> Here is part of my proxie tags to html tags translation array. Looks
> pretty safe to me. There is other code to recognize paragraphs and
> lists, etc.

any 'real' html in the content your 'translating' is still going to
be there after translation - and therefore sent to the client,
quite impossible to say, with out know the code or the realiability of the
content source (e.g. the people that generate the content files)
how safe it actually is.

I would suggest you go to http://phpsec.org - chances are you learn something
that you have yet to consider at this point in time :-)


> 
> $translate_array= array(
> '<link>'        => '<a href="http://',
> '</link>'        => '</a>',
> '<slink>'        => '<a href="https://',
> '</slink>'        => '</a>',
> '<label>'        => '" target="_blank">',
> "<email>"        => '<a href="mailto:',
> "<name>            => "\">",
> '</email>'        => '</a>',
> '<photo>'        => "<img class=\"floatleft\" alt=\"mug\" src=\"$scr",
> '</photo>'          => '">',
> '<blue-line>'        => "<div class=\"horzline\"></div>\n",
> '<blue_line>'        => "<div class=\"horzline\"></div>\n",
> '<images>'        => "<div class=\"images\">",
> '</images>'        => "</div>\n",
> '<no_banner>'        => '',
> '<no_menu>'        => '',
> '<return>'        => "<div class=\"return\"><a
> style=\"text-decoration:underline\" href=\"$request_url\">Return to
> previous page</a></div>\n",
>      );
> 
> Jochem Maas wrote:
>> Al wrote:
>>> Good point about the '<script> evil haxor code here; </script>'.  That's
>>> bad for our users, not the site, per se.
>>
>> what is bad for your users is bad for your site, on top of that
>> the script is running in the context of your domain - all sorts of
>> nasty possibilities that could affect your site.
>>
>>> Raw text to html is primarily done with a series of preg_replace()
>>> operations.
>>
>> what/how [exactly] the transformation is done determines
>> whether your safe.
>>
>>> No include() or exec() allowed near the text.
>>>
>>> Sounds like I'm in pretty good shape.
>>
>> maybe, maybe not - see above.
>>
>> (do you practice any sports? ;-P)
>>
>> ...
> 

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux