Go Back   vb.org Archive > Community Discussions > Modification Requests/Questions (Unpaid)
  #1  
Old 03-04-2006, 09:52 PM
lancxeon lancxeon is offline
 
Join Date: Feb 2006
Posts: 14
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default allow html

i want to allow html, and block out certain "TAGS" in the user profiles. anyone know how?

... oh come on. i know this is prolly easy as hell, lol. answer?

umm, answer?
Reply With Quote
  #2  
Old 03-05-2006, 10:09 AM
Marco van Herwaarden Marco van Herwaarden is offline
 
Join Date: Jul 2004
Posts: 25,415
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

There is no secure way to allow "safe posting of html".
Reply With Quote
  #3  
Old 03-05-2006, 12:28 PM
Kacela's Avatar
Kacela Kacela is offline
 
Join Date: Mar 2005
Location: Connecticut, USA
Posts: 88
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

This already exists https://vborg.vbsupport.ru/showthread.php?t=96926 , but I would be wary. There are too many exploits. I would address this the way I would when I deploy a router or a firewall. I would apply some sort of "ALLOW|PERMIT" list to either allow or deny certain HTML tags and attributes, probably specified in a CSS. Doing it in this manner may also allow you to have certain member groups the ability to have more HTML functionality.
I believe if you are very careful and knowledgeable about the functionality and possible exploitation of any tag or attribute, that this is feasible. I have some notes from a "white hat", (or ethical hacking,) presentation I have that I can pass along. Their site, by the way is http://www.whitehatsec.com if you want to read about all known exploits.
First we need to identify potentially malicious character strings like:
Code:
../   (Directory Transversal) 
(*, ?, +)  (file globbing characters)
";"   (Command Appending) 
">" "<" "|" (Data Piping & Re-Directs) 
" and ?  (Input String & Command Manipulation)
etc...
So, we'd want to filter or replace those characters.

Any web application allowing HTML is at risk. Even when proper precautions are taken, this is not something you can get around. As in all security access control, "ALLOW|PERMIT" lists are the safest way to go. Potentially dangerous HTML:
HTML Code:
<APPLET>
<BASE>
<BODY>
<EMBED>
<FRAME>
<FRAMESET>
<HTML>
<IFRAME>
<IMG>
<LAYER>
<META>
<OBJECT>
<P>
<SCRIPT>
<STYLE>
etc...
Also any HTML that has these attributes could be dangerous:
HTML Code:
      STYLE
      SRC
      HREF
      TYPE
You need to be careful of seemingly innocent HTML strings that when combined with tag attributes, such as SRC, STYLE, HREF and OnXXX (JavaScript Event Handler), can be malicious.

Some of the more well-known exploits and possible solutions:
Code:
<SCRIPT>alert('JavaScript Executed');</SCRIPT>
Solution: replace all "script" tags.

Code:
<IMG SRC="javascript:alert('JavaScript Executed');">
Replace "javascript" strings in all SRC & HREF attributes in HTML tags with another string.

Any HTML tag with a SRC attribute will execute this script on page load or on link activation.

As filters search for the (JavaScript/LiveScript/Mocha) strings to filter, placing a single line break in the string will cause the string to bypass the filter, but still execute client-side.
Code:
<IMG SRC="javasc 

ript:alert('JavaScript Executed');">
Solution: Filter white space before the keyword strings, and filter for the multiple whitespace occurrences. Tabs, Newlines, Carriage Return, spaces, etc.

As another derivative of the previous, Decimal HTML entities within these strings can cause filter bypass.
Code:
<IMG SRC="javasc	ript:alert('JavaScript Executed');">
Hex instead of Decimal HTML entities will also bypass input filters and execute.
Code:
<IMG SRC="javasc&#X0A;ript:alert('JavaScript Executed');">
As well as placing multiple ZERO's in front.
Code:
<IMG SRC=javasc
ript:alert('JavaScript Executed');>
Solution: Filter these entities within the string then do your further pattern matching.

Ther are plenty of others, like turning a style tag into a JavaScript expression; importing dangerous CSS, Import a JavaScript Expression through a style tag (good fodder for you IE haters :P ), using the style attribute to evaluate a JavaScript expression, the stripping of and not replacing of keywords from a string may be used to get around certain CGI filters, The use of alternating caps within a line may cause the executable code to pass through due to case sensitivity within pattern matches, and it goes on...

So, in order for this to be feasible, we'll need to create a safe HTML Allow list, and compare Allow list against known dangerous HTML tags and attributes. XML, SOAP, and AJAX technologies only compound these issues. Again, I beleive it can be done, though you are playing with fire, but a very THOROUGH understanding of each allowed HTML tag and attribute needs to be done. [/nerd_mode] :P

Some of this content is Copyright 2001 WhiteHat Security
Reply With Quote
  #4  
Old 03-05-2006, 03:44 PM
lancxeon lancxeon is offline
 
Join Date: Feb 2006
Posts: 14
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

haha, thanxz i will read all this, but this looks like allowing it in the posts to?.. im not stupid enough to do that. i just want it in the about me and who i like to meet yada yada in the users profiles

come on. just tell me how to parse html in user profile feilds

cant be that hard.. lol
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 11:49 AM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.03823 seconds
  • Memory Usage 2,191KB
  • Queries Executed 13 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)ad_showthread_firstpost
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (7)bbcode_code
  • (2)bbcode_html
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)navbar
  • (3)navbar_link
  • (120)option
  • (4)post_thanks_box
  • (4)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (4)post_thanks_postbit_info
  • (4)postbit
  • (4)postbit_onlinestatus
  • (4)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_postinfo_query
  • fetch_postinfo
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete