Sanitizing input of potential attacks & disallowed code

schwim

Hi there everyone,

I'm working on an HTML sandbox. A page where someone can enter html and have it show up in another frame of the page, allowing them to tweak and save it. It's intended for things like eBay auctions, where some HTML is allowed, but not all. I'd like to not only strip what's not allowed, I'd also like to protect the script from the vulnerabilities you have when allowing code to be submitted for parsing/storage.

I found these sanitizer classes during my searches:

http://pear.php.net/pepr/pepr-proposal-show.php?id=436
http://pear.php.net/package/HTML_Safe/download
http://www.phpclasses.org/browse/package/3746.html

but before I commit to integrating any particular class, I wanted to ask your opinions and thoughts.

I need to strip everything that's not HTML(other languages like php) and I need to strip particular aspects of the HTML(javascript, particular tags, etc.).

If there's more information needed, please just let me know and I'll happily provide it.

thanks,
json

bretticus

schwim;10886434 wrote:
I need to strip everything that's not HTML(other languages like php) and I need to strip particular aspects of the HTML(javascript, particular tags, etc.).
n

If you need a custom solution, you'll find that these classes are probably based on extracting content via regular expressions. Have a look at the comments under strip_tags() on the PHP manual.

schwim

Hi there Bretticus,

Thanks very much for your reply. Currently, I'm using some snippets from the comments, but there's a couple things that concern me. There's no validation to the snippets. Anyone(including me) can post them and often, two posts further up, someone will tell them why it's no good. You're just hoping that the commenter knows more about the situation than you do 🙂

Also, I thought there would be a function that was widely used due to it's security and features. That very well may not be the case, but it is always worth a shot 🙂

thanks,
json

bretticus

schwim;10886513 wrote:
Currently, I'm using some snippets from the comments, but there's a couple things that concern me. There's no validation to the snippets.

Fortunately, there's a specific format to html. Has to be or browsers cannot render it. I mean, a script tag ALWAYS starts with a "<script" and ends with a "</script>." There's just no way around it. If I see a code suggestion, the best way to trust it is to see if it works by testing it. You can get a lot of source code from the internet to test it against, for example.

schwim;10886513 wrote:
Also, I thought there would be a function that was widely used due to it's security and features. That very well may not be the case, but it is always worth a shot 🙂

There is, strip_tags(). Basically, you just don't want a malicious user to post anything that can facilitate cross-site browser attacks (like javascript for example.) At it's core, strip_tags() is very useful for cleaning out html when it's not allowed (usually because of this very issue.) However, you didn't want to get rid of all html. Fortunately, you can pass the tags you'd like to leave. For example, you could tell it to leave paragraphs, breaks, or other layout tags considered safe.

schwim

I was thinking more along the lines of where strip_tags stops it's magic:

From php.net:

This function does not modify any attributes on the tags that you allow using allowable_tags , including the style and onmouseover attributes that a mischievous user may abuse when posting text that will be shown to other users.

What I meant by my previous comment was a class or function that allows you more customization and control. I understand your points and am using it currently.

thanks,
json

bretticus

Very good point. A user could definitely do an onclick/onblur/onfocus attribute. Yeah, looks like you're back to your custom implementation. This is probably why most folks allow bbcode for simple formatting and no html.