Beefy Boxes and Bandwidth Generously Provided by pair Networks
Perl: the Markov chain saw
 
PerlMonks  

Re: XSS-Bug in HTML::BBCode

by b10m (Vicar)
on Aug 14, 2007 at 13:57 UTC ( #632496=note: print w/ replies, xml ) Need Help??


in reply to Re^2: XSS-Bug in HTML::BBCode
in thread XSS-Bug in HTML::BBCode

Thanks for reporting!

I'll see if I can patch it asap. Any pointers on how to prevent this in a nice way could be helpful :-)

--
b10m

All code is usually tested, but rarely trusted.


Comment on Re: XSS-Bug in HTML::BBCode
Re^2: XSS-Bug in HTML::BBCode
by Corion (Pope) on Aug 14, 2007 at 14:06 UTC

    I guess that allowing only /^\w+$/ as values is a sane approach at least for the [color] tag. For the other values, you will need to come up with other ways, I suggest restrictive regular expressions there as well. As long as you keep the permissions restrictive in the sense that your REs describe what's allowed instead of describing what's forbidden, you'll be safe(r).

    Especially for the [colour] tag, you could also explicitly list the set of allowed colours in your regular expression.

Re^2: XSS-Bug in HTML::BBCode
by Taulmarill (Deacon) on Aug 14, 2007 at 14:11 UTC
    Lucky for you i had some time to read your source ;-)

    I think the main-problem is how $attr is handled in sub _do_BB. Basically you should try to filter any content in $attr which is not what you expect. Right now you filter < and >. In addition you should also filter ; and " since ; can begin a new css-attribute and " can end the css altogether and start something new (like i did with onmouseover="").

    Maybe it would also be nice to change the behavior from just filtering out all unwanted stuff to changing broken BBCode into text. That would resemble what phpBB actually does.
Re^2: XSS-Bug in HTML::BBCode
by clinton (Priest) on Aug 14, 2007 at 14:25 UTC
    You might consider using HTML::StripScripts (I'm the maintainer) as a filter for your output HTML. It'll filter tags, attributes and styles. Instead of returning the HTML directly, you would need to feed it tokens like start and end tags with attributes, content etc, and set the level of filtering that you would like.

    Have a look at HTML::StripScripts::Parser and HTML::StripScripts::LibXML for ideas of how to interface with HTML::Stripscripts.

    Clint

      I was actually already looking into this possibility :-) Instead of changing the parser's behaviour, just let it do it's work and then remove all unwanted stuff afterwards. That _should_ prevent further abuse aswell (assuming your module is flawless ;-) )

      --
      b10m

      All code is usually tested, but rarely trusted.
        If it's not flawless, I'll point all blame at the original author - any praise will, naturally, stop with me :)

        That said, I've added tests for all (relevant) exploits on the XSS (Cross Site Scripting) Cheat Sheet website.

        I don't know what tags you generate through HTML::BBCode, but you may need to override (by sub-classing) the default list if you need to add any.

        Also, I think that your HTML generator would be a good match with HTML::StripScripts, because StripScripts need to receive tokens, and your module is generating tokens... the interface should be pretty easy.

        If you need any help with it, drop me a /msg

        Clint

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://632496]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others musing on the Monastery: (4)
As of 2014-07-13 07:20 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    When choosing user names for websites, I prefer to use:








    Results (248 votes), past polls