PDA

View Full Version : allow html


lancxeon
03-04-2006, 09:52 PM
i want to allow html, and block out certain "TAGS" in the user profiles. anyone know how?

... oh come on. i know this is prolly easy as hell, lol. answer?

umm, answer?

Marco van Herwaarden
03-05-2006, 10:09 AM
There is no secure way to allow "safe posting of html".

Kacela
03-05-2006, 12:28 PM
This already exists https://vborg.vbsupport.ru/showthread.php?t=96926 , but I would be wary. There are too many exploits. I would address this the way I would when I deploy a router or a firewall. I would apply some sort of "ALLOW|PERMIT" list to either allow or deny certain HTML tags and attributes, probably specified in a CSS. Doing it in this manner may also allow you to have certain member groups the ability to have more HTML functionality.
I believe if you are very careful and knowledgeable about the functionality and possible exploitation of any tag or attribute, that this is feasible. I have some notes from a "white hat", (or ethical hacking,) presentation I have that I can pass along. Their site, by the way is http://www.whitehatsec.com if you want to read about all known exploits.
First we need to identify potentially malicious character strings like:../ (Directory Transversal)
(*, ?, +) (file globbing characters)
";" (Command Appending)
">" "<" "|" (Data Piping & Re-Directs)
" and ? (Input String & Command Manipulation)
etc...So, we'd want to filter or replace those characters.

Any web application allowing HTML is at risk. Even when proper precautions are taken, this is not something you can get around. As in all security access control, "ALLOW|PERMIT" lists are the safest way to go. Potentially dangerous HTML:<APPLET>
<BASE>
<BODY>
<EMBED>
<FRAME>
<FRAMESET>
<HTML>
<IFRAME>
<IMG>
<LAYER>
<META>
<OBJECT>
<P>
<SCRIPT>
<STYLE>
etc...Also any HTML that has these attributes could be dangerous: STYLE
SRC
HREF
TYPE
You need to be careful of seemingly innocent HTML strings that when combined with tag attributes, such as SRC, STYLE, HREF and OnXXX (JavaScript Event Handler), can be malicious.

Some of the more well-known exploits and possible solutions:<SCRIPT>alert('JavaScript Executed');</SCRIPT>
Solution: replace all "script" tags.

<IMG SRC="javascript:alert('JavaScript Executed');">Replace "javascript" strings in all SRC & HREF attributes in HTML tags with another string.

Any HTML tag with a SRC attribute will execute this script on page load or on link activation.

As filters search for the (JavaScript/LiveScript/Mocha) strings to filter, placing a single line break in the string will cause the string to bypass the filter, but still execute client-side.<IMG SRC="javasc

ript:alert('JavaScript Executed');">Solution: Filter white space before the keyword strings, and filter for the multiple whitespace occurrences. Tabs, Newlines, Carriage Return, spaces, etc.

As another derivative of the previous, Decimal HTML entities within these strings can cause filter bypass.<IMG SRC="javasc ript:alert('JavaScript Executed');">
Hex instead of Decimal HTML entities will also bypass input filters and execute.<IMG SRC="javasc&#X0A;ript:alert('JavaScript Executed');">
As well as placing multiple ZERO's in front.<IMG SRC=javasc
ript:alert('JavaScript Executed');>Solution: Filter these entities within the string then do your further pattern matching.

Ther are plenty of others, like turning a style tag into a JavaScript expression; importing dangerous CSS, Import a JavaScript Expression through a style tag (good fodder for you IE haters :P ), using the style attribute to evaluate a JavaScript expression, the stripping of and not replacing of keywords from a string may be used to get around certain CGI filters, The use of alternating caps within a line may cause the executable code to pass through due to case sensitivity within pattern matches, and it goes on...

So, in order for this to be feasible, we'll need to create a safe HTML Allow list, and compare Allow list against known dangerous HTML tags and attributes. XML, SOAP, and AJAX technologies only compound these issues. Again, I beleive it can be done, though you are playing with fire, but a very THOROUGH understanding of each allowed HTML tag and attribute needs to be done. [/nerd_mode] :P

Some of this content is Copyright 2001 WhiteHat Security

lancxeon
03-05-2006, 03:44 PM
haha, thanxz i will read all this, but this looks like allowing it in the posts to?.. im not stupid enough to do that. i just want it in the about me and who i like to meet yada yada in the users profiles

come on. just tell me how to parse html in user profile feilds

cant be that hard.. lol