PDA

View Full Version : Why is letting HTML dangerous?


Lea Verou
07-30-2007, 04:08 AM
I have read everywhere that letting a user post pure HTML is a site suicide.
I have accepted it for years as an axiom, like 1+1=2.
However, I've seen popular blogging sites to allow their bloggers to change the template by providing them its whole HTML, including <script> tags and everything!
Aren't they afraid? Have they taken any "special measures" to prevent abuse, and if so, what measures?

Dismounted
07-30-2007, 06:04 AM
Yes, allowing HTML can let hackers inject malicious Javascript into a page, which could potentially steal people's cookie data.

ablaye
07-30-2007, 08:49 PM
Yes, allowing HTML can let hackers inject malicious Javascript into a page, which could potentially steal people's cookie data.

Can you provide an example??? :D

cheat-master30
07-30-2007, 09:09 PM
I have read everywhere that letting a user post pure HTML is a site suicide.
I have accepted it for years as an axiom, like 1+1=2.
However, I've seen popular blogging sites to allow their bloggers to change the template by providing them its whole HTML, including <script> tags and everything!
Aren't they afraid? Have they taken any "special measures" to prevent abuse, and if so, what measures?


They can use CSS and styling to disrupt the layout massively, or make parts of the login box or other features/links disappear from view.
As said, Javascript cookie stealing.
Javascript causes really annoying effects such as things flying around or maybe the page upside down/flipped.
Iframes to embed viruses and other malware.
Iframes or forms to embed fake forms for phishing purposes/stealing passwords, even making the fake form look part of the site.
Crashing the browser with an extremely large image.
Redirects to other, potentially dangerous/offensive pages.
Browser exploits.
Annoyances such as leaving tags open to turn everything bold under the empty tag or italic or underline etc...

Dismounted
07-31-2007, 05:59 AM
Can you provide an example??? :D
No, because then you'd go around trying to exploit forums...

Lea Verou
07-31-2007, 06:08 AM
They can use CSS and styling to disrupt the layout massively, or make parts of the login box or other features/links disappear from view.
As said, Javascript cookie stealing.
Javascript causes really annoying effects such as things flying around or maybe the page upside down/flipped.
Iframes to embed viruses and other malware.
Iframes or forms to embed fake forms for phishing purposes/stealing passwords, even making the fake form look part of the site.
Crashing the browser with an extremely large image.
Redirects to other, potentially dangerous/offensive pages.
Browser exploits.
Annoyances such as leaving tags open to turn everything bold under the empty tag or italic or underline etc...

So, they can't harm the whole site, just the current page?
If so, then these blogging sites are not doing anything dangerous, each blog is its blogger's responsibility...

Dismounted
07-31-2007, 06:20 AM
But your forum is your responsibility.

Lea Verou
07-31-2007, 06:35 AM
But your forum is your responsibility.

Definately. :)
But I'm going to add blogs to it, and I'm wondering if I should let them customize the whole html template or just the css. That's why I asked :)

vertigo jones
07-31-2007, 01:33 PM
There's also things like that Myspace friends worm that happened early on over there.

Had some shit where there was some javascript embedded on someone's profile and then everyone who came to that page was added as a friend to that person AND it also copied itself to the viewing person's profile. Within a day or so the guy who started it was friends with everyone on Myspace. Something like that.

People can do weird, potentially dangerous things when they can stick whatever javascript they want on a page.

Lea Verou
08-01-2007, 08:47 AM
So I'd better let them customize just the css?
Are there any exploits that someone can perform from css?
(We suppose that the code will strip html tags so that's not the case)

EnIgMa1234
08-01-2007, 09:03 AM
Yea I think CSS is ok

Dismounted
08-01-2007, 09:09 AM
Letting CSS is okay, as exploits shouldn't be able to run from it.

Lea Verou
08-01-2007, 09:49 AM
Then why wordpress has this in the CSS comments?:

Things we strip out include:
* HTML code
* @import rules
* expressions
* invalid and unsafe code
* URLs not using the http: protocol(Wordpress lets users customize only the css)

Dismounted
08-01-2007, 09:58 AM
Hmmm, in theory, browsers should parse CSS as CSS and nothing more. Haven't tested this across multiple browsers though.

nico_swd
08-01-2007, 11:29 AM
This will be useful.

http://htmlpurifier.org/

Fabsboards
08-02-2007, 05:01 AM
Are there any options to limit HTML to "trusted" users, perhaps admins and moderators?

Dismounted
08-02-2007, 06:22 AM
Not in stock vBulletin. There is a modification that does this though.

Adrian Schneider
08-02-2007, 07:00 AM
CSS can be dangerous too. There are even some vulnerabilities which rely on CSS, such as the cursor exploit.

Fabsboards
08-03-2007, 12:43 AM
Not in stock vBulletin. There is a modification that does this though.

Do you know the name of the modification? I'd love to use it.

Dismounted
08-03-2007, 10:53 AM
Not off the top of my head.

Lea Verou
08-03-2007, 07:28 PM
CSS can be dangerous too. There are even some vulnerabilities which rely on CSS, such as the cursor exploit.
How can someone "purify" the CSS then, apart from stripping out HTML code?

Adrian Schneider
08-03-2007, 08:17 PM
You can't really. However this was a browser exploit (actually windows thing, but only affected IE). Windows had a bug with parsing the cursor files, so basically it would execute it as raw code or something, which then lead to the installation of about 5 different viruses :(

[off topic]: working on a clients site, and i had up to date virus definitions... i am very prompt with that kind of thing. he says there is a problem with his site, like it's been hacked or something. so I view it with firefox... looks fine. so he tells me to view it with IE and that was the end of it. It got in so deep I had to reformat my PC and I was off for about a week :( all this from a CSS exploit!

I would strip out some annoying CSS things. Be careful with allowing it though, because they can change nearly everything on the page with CSS!