Filtering certain HTML tag

Tommy1402 · #1 (**permalink**) 06-11-2007, 09:25 AM

Hai, I use some Free WYSIWYG editor, and I would like to know how to filter tags such as: SCRIPT, or STYLE to prevent XSS...

Thanks !!

Maugrim The Reaper · #2 (**permalink**) 06-11-2007, 04:35 PM

First step should be looking at PHP's strip_tags(). If you're using Zend_Filter_Input, there's a StripTags filter you could try. There's also the more heavy weight HTMLPurifier library available for PHP which can help.

Either way I suggest reading up on stripping tags. There are a few exploits where malformed HTML is enough is allow for an XSS (Cross Site Scripting) exploit. Something to definitely check for are any tags containing "javascript:" for example (there's also other's like "chrome:", etc.).

A good way is to collect some known exploits, and check (perhaps using Unit Testing for regression testing) whether your form successfully blocks them or not.

Tommy1402 · #3 (**permalink**) 06-12-2007, 02:32 AM

Thanks. I just played a little bit with Zend StripTags, and it's great.
All I do right now is creating whitelist for allowed tags and attributes.

Maugrim The Reaper · #4 (**permalink**) 06-12-2007, 12:28 PM

I'd also suggest building a list of XSS exploits which use malformed tags. I know it seems a little redundant but better safe than sorry

.

Good luck with your project!

Tommy1402 · #5 (**permalink**) 06-13-2007, 09:06 AM

Hi again, I have no problem in declaring allowed Tags but I have difficulties in declaring allowed Attributes in Zend_Filter_StripTags.

I use this code:

Code:

$allowedTags = array(
   'b','i','br','font'
);
$allowedAttributes = array(
   'size','face'
);

$filter = new Zend_Filter_StripTags($allowedTags,$allowedAttributes);

but when I input this code:

Code:

<font size="7" face="impact">foobar</font>

only

Code:

<font>foobar</font>

is displayed.

Any help about the rule in creating allowed Attributes and use it since I didn't find anywhere in the web.

and by the way, I've tried HTMLPurifier and it can solve all my problem. But I just wanna do all the Zend way hehe...

Thanks again!

Maugrim The Reaper · #6 (**permalink**) 06-13-2007, 04:14 PM

Attribute names are definitely passed an array. You can also pass a single string if only one attribute (it's typed to an array internally in that case). Haven't tested it for a while so I'll check it later from my development PC.

Tommy1402 · #7 (**permalink**) 06-14-2007, 03:39 AM

Hi again...
I think I found problem. It's because the magic_quotes_gpc is On.

But, if I add line php_flag magic_quotes_gpc Off in my .HTACCESS file, I got Internal Server Error.

I google for it, then I found out that I have to put file PHP.INI in the same directory with my bootstrap file.

It then displayed

Code:

<font face="7">foobar</font>

still more googling... but it works...

btw, I tried to insert malformed input like

Code:

<font size="7 face="impact>test</font>

I remove one of the quote, the I got

Code:

<font>test</font>

well, it's nice...

Maugrim The Reaper · #8 (**permalink**) 06-14-2007, 09:25 AM

Magic quotes strikes again

.

Using a .htaccess does work - but not if you run PHP as a CGI process. Fortunately, magic_quotes just adds slashes. You can add a screening function to your bootstrap (something like below).

PHP Code:


			
/**
 * Strip slashes in the event magic_quotes_gpc is enabled
 */
$magicQuotesEnabled = (bool) ini_get('magic_quotes_gpc');
if($magicQuotesEnabled === true) {
    superglobal_strip_slashes(); 
}

// rest of bootstrap


/**
 * Function Definitions
 */

function superglobal_strip_slashes()
{
    if (isset($_GET) && !empty($_GET)) {
        strip_slashes_recursive($_GET);
    }
    if (isset($_POST) && !empty($_POST)) {
        strip_slashes_recursive($_POST);
    }
    if (isset($_COOKIE) && !empty($_COOKIE)) {
        strip_slashes_recursive($_COOKIE);
    }
}

/**
 * Recursively strip slashes from a value
 */
function strip_slashes_recursive(&$value)
{
    $value = is_array($value) ? array_map('strip_slashes_from', $value) : stripslashes($value);
    return $value;
}

It's an annoying addition but essential for porting applications to environments where magic quotes cannot be disabled by the user (e.g. distributing an open source application useable by those on shared hosts).

Tommy1402 · #9 (**permalink**) 06-15-2007, 03:34 AM

Great ! Thx a lot!

Maugrim The Reaper · #10 (**permalink**) 06-15-2007, 08:03 AM

No problem

.

Also keep an eye out for "magic_quotes_runtime". You can disable this from within any file (it's not php.ini only) if it's causing any issues.

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode