3 months after launching my site someone did a redirect on my index page to a hacking site. I hired a freelancer to tighten security. He used Pear's strip function or whatever. Basically it looks for tags like imbed, script, etc. and removes them.

He told me that allowing users to imbed anything they want was a security vulnerability. I researched this and found many people online saying the same thing. I tried to research how to safely imbed and on multiple occasions came up with people saying to create special tags like a youtube tag for if users want to imbed a youtube video, etc.

Maybe that can be part of the solution I don't know.

Sites like Myspace don't make the user enter things like a youtube tag, etc. The user inputs just about any widget code they find online, whether it has imbed or other tags, and it seems to work. Now of course myspace converts any url into some msplinks url or something, but nonetheless before that happened you could view html source and see the widget codes.

If I simply allowed embed then I would imagine users could imbed password theft scripts or other malicious codes. Does anyone know how myspace seems to allow me to just copy/paste any widget code I find and have it work, while keeping myspace somewhat secure? Maybe I'm mistaken and maybe the security on myspace isn't secure.

Anyone have any URL's or comments at all on how to allow my users to be able to put many of the widgets into their profiles? It seems most of the problems are with the embed tag although there may be some other tags as well. Users have been complaining ever since the security fix more than a year ago. I looked at the security code a few times but it seemed pretty cut and try to have it remove input with certain tags or not. I'm just not able to think of any ideas on how I can safely allow embed tags, mainly because I don't know enough about the embed security vulnerability. I'm going to research this a bit, meanwhile please chime in if you know more than I do.

Thanks

Chris

I came upon this post http://forums.pligg.com/pligg-mods/1230-embed-security-hole-url-filtering.html#post7862 which contains the following code:

<? 
$string = 'This is a cool video<embed src="http://www.metube.com/v/zyyCcjbrWOM" type="application/x-shockwave-flash" wmode="transparent" width="100" height="350"></embed> The world is going to end'; 
//first find the <embed 
$mutant = htmlentities($string); 
//echo $mutant; 
$urls = array("www.youtube.com","ifilm.com"); 
$content = false; 

$pos = strpos($mutant,'&lt;embed'); 
if($pos !== false){ 
    //embed was found 
    //remove anything infront of the embed 
    $mutant = substr_replace($mutant,'',0,$pos); 
    //find the end of the string > 
    $wholeLength = strlen($mutant); 
    $pos = strpos($mutant,'&gt;'); 
    if($pos !== false){ 
        //the > was found, lets remove all the crap 
        $mutant = substr_replace($mutant,'',$pos+4,$wholeLength); 
        //woot we have the ember string 
        //lets check if the string is there 
        foreach ($urls as $url){ 
            $found = strpos($mutant,$url); 
            if($found !== false){ 
                //found it 
                $content = true; 
                break; 
            }         

        }         

    } 
} 

if($content == true){ 
    //don't strip embed 
    echo strip_tags($string,"<embed>"); 
}else{ 
    //strip embed 
    echo strip_tags($string,""); 
} 

?> 

Doesn't this only determine if the url exists? If the url has malicious code then it still exists and would be allowed?

Ok their site makes it clear you have to have PHP5 which my host doesn't have. I don't know if I'd need to change any code in my social network files. For now I'm probably going to put this on hold until I move to a new hosting company since I'm not thrilled with the one I'm at now. If anyone reads this before that happens, please let me know if you have any relevant experience or advice. Thanks

Ok their site makes it clear you have to have PHP5 which my host doesn't have.

Pressue your host to provide PHP 5 as an option since official PHP 4 support by the PHP development team has ended. If they refuse to budge, change hosts.