Go Back   vb.org Archive > vBulletin Article Depository > Read An Article > Programming Articles
FAQ Community Calendar Today's Posts Search

Reply
 
Thread Tools
Reasons never to allow HTML
CarCdr
Join Date: Apr 2004
Posts: 242

 

Show Printable Version Email this Page Subscription
CarCdr CarCdr is offline 08-09-2004, 10:00 PM

This was written in response to various queries regarding the use of HTML, most recently in this thread.
-----------------

In general, one is probably fine allowing bbcodes, although I do not know if bbcodes like IMG and URL are safe. (See below.)

While vB provides the capability to allow HTML, one should never use it. It opens your board to attack.

Use bbcodes. If you need to emulate an HTML tag, write a new bbcode.

The problem with allowing the injection of HTML is a complicated one. There is no 100% safe method to allow HTML and feel secure. Some of the issues and interactions are:

1. The obviously dangerous tags like SCRIPT and APPLET are not the only danger. Any injection of a URL can be dangerous. Any tag that allows for a URL (e.g., a, img, frame, ...) can be used for cross-site scripting and cookie stealing, which can allow someone to hack into your board.

2. Hackers can use various tricks that would result in a tag getting through the filter imposed by the PHP checker. Possible examples:
a) <sc\0ript> becomes <script>
b) <scr<embed>ipt> becomes <embed> or <script>

3. Then there is the issue of malicious tag attributes and events such as onclick and onmouseup.

--------
Potentially dangerous tags that accept URL's:
A, APPLET, AREA, BASE, BGSOUND, BODY, EMBED, FORM, FRAME, IFRAME, ILAYER, IMG, ISINDEX, INPUT, LAYER, LINK, OBJECT, SCRIPT, SOUND, TABLE, TD, TH, TR
Reply With Quote
  #2  
Old 08-10-2004, 11:11 AM
Dean C's Avatar
Dean C Dean C is offline
 
Join Date: Jan 2002
Location: England
Posts: 9,071
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

I'll move this over to modifications hints and tips - I think we need a rename of that forum
Reply With Quote
  #3  
Old 08-10-2004, 10:19 PM
Natch's Avatar
Natch Natch is offline
 
Join Date: Nov 2002
Location: Australia
Posts: 851
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Handy Hints 4 Board Admins?
Reply With Quote
  #4  
Old 08-10-2004, 11:52 PM
deathemperor's Avatar
deathemperor deathemperor is offline
 
Join Date: Jul 2003
Location: HOL
Posts: 1,270
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

good hints
HTML is magic.
Reply With Quote
  #5  
Old 08-17-2005, 09:41 PM
Gutspiller's Avatar
Gutspiller Gutspiller is offline
 
Join Date: Dec 2001
Posts: 1,046
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Or you can just censor certain html tags and be a little safer:

Code:
<style </style <iframe </iframe <link </link <basefont </basefont <base </base <th </th <tfoot </tfoot <tbody </tbody <thead </thead <body </body <meta </meta <script </script <html </html <plaintext </plaintext <xmp </xmp <object <noframes <noembed <noscript <nojava onload onMouseover <fieldset :absolute style="position "position absolute; <caption onMouseOut view-source
:ermm:
Reply With Quote
  #6  
Old 08-17-2005, 09:44 PM
Zachery's Avatar
Zachery Zachery is offline
 
Join Date: Jul 2002
Location: Ontario, Canada
Posts: 11,440
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by Gutspiller
Or you can just censor certain html tags and be a little safer:

Code:
<style </style <iframe </iframe <link </link <basefont </basefont <base </base <th </th <tfoot </tfoot <tbody </tbody <thead </thead <body </body <meta </meta <script </script <html </html <plaintext </plaintext <xmp </xmp <object <noframes <noembed <noscript <nojava onload onMouseover <fieldset :absolute style="position "position absolute; <caption onMouseOut view-source
:ermm:
Censor is really easy to get around
Reply With Quote
  #7  
Old 08-24-2005, 10:54 PM
FrozenCreations FrozenCreations is offline
 
Join Date: Jul 2005
Posts: 89
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

i have an even better reason /;

do not alow <img /> tags!!

<HTML>
<BODY>
<IMG SRC="./bsod.gif" width="9999999"height="9999999" />
</BODY>
</HTML>

INSTANT DOOM!! muahahahahahaha

(it chrashes the page
Reply With Quote
  #8  
Old 08-25-2005, 05:23 AM
AN-net's Avatar
AN-net AN-net is offline
 
Join Date: Dec 2003
Location: AnimationTalk.com
Posts: 2,367
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by Gutspiller
Or you can just censor certain html tags and be a little safer:

Code:
<style </style <iframe </iframe <link </link <basefont </basefont <base </base <th </th <tfoot </tfoot <tbody </tbody <thead </thead <body </body <meta </meta <script </script <html </html <plaintext </plaintext <xmp </xmp <object <noframes <noembed <noscript <nojava onload onMouseover <fieldset :absolute style="position "position absolute; <caption onMouseOut view-source
:ermm:
there are still so many more possibilities to use vicious javascript and code
Reply With Quote
  #9  
Old 08-25-2005, 08:14 PM
FrozenCreations FrozenCreations is offline
 
Join Date: Jul 2005
Posts: 89
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

and theres always my instant doom img tag

the downside is, you gota upload your own pic /;
Reply With Quote
  #10  
Old 09-28-2005, 03:17 AM
Tradjick Tradjick is offline
 
Join Date: Jan 2004
Posts: 219
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

And when enabling HTML only for Admins, would that be safe, beside the risk that someone gets Admin access?
Reply With Quote
Reply


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 04:47 PM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.07789 seconds
  • Memory Usage 2,294KB
  • Queries Executed 23 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (3)bbcode_code
  • (2)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)modsystem_article
  • (1)navbar
  • (4)navbar_link
  • (120)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (1)pagenav_pagelink
  • (10)post_thanks_box
  • (1)post_thanks_box_bit
  • (10)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (1)post_thanks_postbit
  • (10)post_thanks_postbit_info
  • (9)postbit
  • (10)postbit_onlinestatus
  • (10)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • fetch_musername
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • post_thanks_function_fetch_thanks_bit_start
  • post_thanks_function_show_thanks_date_start
  • post_thanks_function_show_thanks_date_end
  • post_thanks_function_fetch_thanks_bit_end
  • post_thanks_function_fetch_post_thanks_template_start
  • post_thanks_function_fetch_post_thanks_template_end
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • pagenav_page
  • pagenav_complete
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete