[RESOLVED] Can anyone add to this

slimjim

I want to let members use html for a blog posting but want it secure for server as well as for visitors to blog.
I also am going to allow images in html. And I know it can be dangerous but I know there must be a way to make it safe.
I am also going to allow links in their html.

What they submit will not go into database but will be added to a txt file before being approved. After approved the txt file will be converted to a php file.

Anyways here is what you can add to if you can help make it safer.

function cleantext($str,$strlang=false) {
   $str = rtrim($str);
   // remove all harmful tags
   $stripsearch = array("'<head[^>]*?>.*?</head>'si",   // Strip out javascript
               "'<!DOCTYPE[^>]*?>'si",            // Strip out doctype
               "'<script[^>]*?>.*?</script>'si",   // Strip out javascript
               "'<iframe[^>]*?>.*?</iframe>'si",   // Strip out iframes
               "'<iframe[^>]*?>'si",            // Strip out iframes
               "'<bgsound[^>]*?>'si",            // Strip out iframes
               "'<meta[^>]*?>'si",               // Strip out meta tags
               "'<form[^>]*?>.*?</form>'si",      // Strip out forms
               "'<object[^>]*?>.*?</object>'si",   // Strip out objects
               "'<embed[^>]*?>.*?</embed>'si",      // Strip out embeds
               "'<applet[^>]*?>.*?</applet>'si",   // Strip out applets
               "'</?body[^>]*?>'i",            // Strip out body tags
               "'</?html>'i",                  // Strip out html tag
               );
   $stripreplace = "";
   $returnstr = preg_replace($stripsearch,$stripreplace,$str);
   $changearr = array("\r"=>"\n",
      "\r\n"=>"\n",
      "\n\n\n" => "\n\n",
      "  "=>" ",
      "<?"=>"<?",
      "#exec"=>"itriedtohackthis",
      "<meta"=>"<meta",
      "<script"=>"<script",
      "<iframe"=>"<iframe",
      "<form"=>"<form",
      "<object"=>"<object",
      "<embed"=>"<embed",
      "javascript:"=>"",
      "onclick"=>"",
      "ondblclick"=>"",
      "onmousedown"=>"",
      "onmouseup"=>"",
      "onmouseover"=>"",
      "onmousemove"=>"",
      "onmouseout"=>"",
      "onkeypress"=>"",
      "onkeydown"=>"",
      "onkeyup"=>""
      );
   $returnstr = strtr($returnstr,$changearr);
   return $returnstr;
}

wilku

Instead of not allowable tags, it would be better to define tags that are allowable. Have you seen [man]strip_tags[/man]?

slimjim

The dangerous tag list is shorter I would think. And of course certain tags like for images can have attributes that can contain protocols.
Also what about dangerous protocols like vbscript,view-source,lynxexec and others like dangerous CSS keywords, and things like xml.
I was not thinking about just tag and between tag removal, so I guess I didnt explain my self correctly.
I think I am thinking about a good way of allowing people to add html but make it safe for server as well as for visitors viewing a page.

dougal85

Well your opening a huge can of worms. It's not an easy thing to do.

Certain browsers have problems and stuff you need to be aware of. I think for example you can inject JavaScript into CSS in IE6. This was a bug that somebody abused in myspace. And since every element can have CSS styles...

You'd be way better white listing than blacklisting. I think..

slimjim

By white listing you mean to make a list of allowable tags ?

slimjim

I was thinking, if we make a white list of allowable tags, how does that even stop css attributes, because people could still add attributes to links as well and image links, and I want to allow links and images.

So does anyone know how myspace prevented these issues.

slimjim

Why wouldnt this work ?
Would this not remove style attributes including css
First it has a list of allowable tags and attributes that would be removed

     function removeEvilAttributes($tagSource)
{
        $stripAttrib = "' (style|class|onabort|onactivate|onafterprint|onafterupdate|onbeforeactivate|onbeforecopy|onbeforecut|onbeforedeactivate|onbeforeeditfocus|onbeforepaste|onbeforeprint|onbeforeunload|onbeforeupdate|onblur|onbounce|oncellchange|onchange|onclick|oncontextmenu|oncontrolselect|oncopy|oncut|ondataavaible|ondatasetchanged|ondatasetcomplete|ondblclick|ondeactivate|ondrag|ondragdrop|ondragend|ondragenter|ondragleave|ondragover|ondragstart|ondrop|onerror|onerrorupdate|onfilterupdate|onfinish|onfocus|onfocusin|onfocusout|onhelp|onkeydown|onkeypress|onkeyup|onlayoutcomplete|onload|onlosecapture|onmousedown|onmouseenter|onmouseleave|onmousemove|onmoveout|onmouseover|onmouseup|onmousewheel|onmove|onmoveend|onmovestart|onpaste|onpropertychange|onreadystatechange|onreset|onresize|onresizeend|onresizestart|onrowexit|onrowsdelete|onrowsinserted|onscroll|onselect|onselectionchange|onselectstart|onstart|onstop|onsubmit|onunload)=\"(.*?)\"'i";
        $tagSource = stripslashes($tagSource);
        $tagSource = preg_replace($stripAttrib, '', $tagSource);
        return $tagSource;
}

function removeEvilTags($source)
{
    $allowedTags='<a><br><b><h1><h2><h3><h4><i>' .
             '<img><li><ol><p><strong><table>' .
             '<tr><td><th><u><ul>';
    $source = strip_tags($source, $allowedTags);
    return preg_replace('/<(.*?)>/ie', "'<'.removeEvilAttributes('\\1').'>'", $source);
}

slimjim

Well that was not good either cause it woudnt even detect this
<A href="JavaScript:window.open('somedoc.html', 'newWindow')">click here</A>

slimjim

Does anyone have a secure way to allow html and images and links for a blog posting at all.
Secure for server and visitors ?
If so please post cause this is driving me nuts.

NogDog

You might consider using a "BBCode" system similar to this forum's, such as provided by the PEAR HTML_BBCodeParser package or the BBCode PECL extension

slimjim

I posted another and decided that bbcode is the best way to go and safer then anything else for posting.