Re: Question about a security function

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 5/20/2010 10:07 AM, Ashley Sheridan wrote:

On Thu, 2010-05-20 at 14:27 +0100, David Otton wrote:


On 20 May 2010 13:53, Al<news@xxxxxxxxxxxxx>  wrote:


I have a password-protected, user, on-line editor that I'm hardening against
hackers just in case a user's pw is stolen or local PC is infected.

The user can enter html tags; but, I restrict the acceptable tags to benign
ones. e.g.,<p>,<b>,<table>, etc.  e.g., no<embed...<script... etc.

Just to be extra safe, I've added a function that parses for executables in
the raw, entered text. If found, I post and nasty error message and ignore
the entry altogether.


That's not really going to work. See:

http://ha.ckers.org/xss.html

Blacklisting is a fundamentally flawed approach. I suggest using
http://htmlpurifier.org/ instead.




I agree wth Peter and David, it's not generally a good idea to roll your
own in this case, as the repercussions can be quite large if things go
wrong!

If you absolutely must though, don't allow any HTML at all, and use
BBCode instead, which you can replace afterwards. Before entering the
data into a database run it through mysql_real_escape_string(), and if
you are displaying any user-entered data, run that through
htmlentities() or something similar.

Thanks,
Ash
http://www.ashleysheridan.co.uk
I agree blacklisting is a flawed approach in general. My approach is to strictly confine entry text to a whitelist of benign, acceptable tags. The blacklist is sort of a backup and won't even save the entry. The user's entry has no ability to affect anything outside of the stuff within the body tags, including the css file. 

Thanks for the heads up about htmlpurifier. I'll take a more detailed look.
I briefly looked at it earlier; but, found it was gross overkill for my needs. My objective is to not let bad stuff into my server to start with, and not to parse existing html and css files. 

The ha.hackers site is most interesting. I plan to work with it in detail.

Al..........


--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux