Gossamer Forum
Home : Products : Gossamer Links : Discussions :

Security risk? HTML code in Description field

Quote Reply
Security risk? HTML code in Description field
Hi,

I noticed that by default it is possible to enter html code in the link description field, and that this doesn't get escaped out when the category/detailed pages are generated.

Is this a security risk? I'm thinking of things like cross site scripting etc (although I'm no expert on these things - so wanted to get advice from the community)

(Note - I actually want my editors to be able to "bold" text and add "urls" to the description field and a couple of other text fields I have created - but I'm a bit worried about the potential for abuse)

Cheers,

Rob
Quote Reply
Re: [mrrob] Security risk? HTML code in Description field In reply to
Yes it can be a security risk, you should really check all the submitted fields for html or any malicious code when validating links (another reason why allowing links to be added in directly is a bad idea).

An idea for version 4 would be to add a custom markup like in GForum.

Adrian
Quote Reply
Re: [brewt] Security risk? HTML code in Description field In reply to
Is there a way to hook up a module, or call, that would run the description output through a filter, to strip out html, pending the addition of the full mark up module?

The link is processed several times, maybe a filter in the site_html_link routine?


PUGDOG´┐Ż Enterprises, Inc.

The best way to contact me is to NOT use Email.
Please leave a PM here.
Quote Reply
Re: [brewt] Security risk? HTML code in Description field In reply to
Ok, this was my solution. Remember I'm no programmer or security expert - my goal was to stop users/editors entering suspicious html code in one of my text fields, but still allow then to use basic formatting such as bold and italic, and add links to other web pages.

I created a global which strips out suspicious characters ( see http://www.cgisecurity.com/...xss-faq.shtml#vendor) and then converts a limited number of special markup tags to their html equivalent - bold, italic and url. The markup tags are the same as the ones used in Gossamer Forum except url, which also enclose the url in single quotes. I can't work out how to show these because Gossamer Forum keeps stripping htem out.

Anyway, here's the global "longdesc_formatted" which gets called from the detailed page template ie. <%longdesc_formatted%>. In the global below LongDesc is an extended text field that editors are allowed to enter extra information and use the markup tags described above.

Code:

sub {
my $tags = shift;
my $description = $tags->{LongDesc};
# replace suspect characters
$description =~ s/&/&amp\;/g;
$description =~ s/</&lt\;/g;
$description =~ s/>/&gt\;/g;
$description =~ s/"/&quot\;/g;
$description =~ s/#/&#35\;/g;
$description =~ s/\(/&#40\;/g;
$description =~ s/\(/&#41\;/g;
# convert new lines to line break tags
$description =~ s/\n/<BR>\n/g;
# convert bold tags
$description =~ s/\[b\]/<b>/g;
$description =~ s/\[\/b\]/<\/b>/g;
# convert italic tags
$description =~ s/\[i\]/<i>/g;
$description =~ s/\[\/i\]/<\/i>/g;
# convert url tags
$description =~ s/\[url='(http.+)'\]/<a href="$1" rel="nofollow" target="_blank">/g;
$description =~ s/\[\/url\]/<\/a>/g;
return $description;
}

Any feedback gladly received.

Robert
Quote Reply
Re: [mrrob] Security risk? HTML code in Description field In reply to
Here is what I'm using for my blogger. It's not the best out there, but it does what I want it to: allow listed tags, but also escape all others.

Code:
sub strip_bad_html {
my $html = shift;

my $allowed = [qw/a address b big blockquote br center cite code dd dfn div dl dt em font form
hr h1 h2 h3 h4 h5 h6 i img input li nobr noscript ol p pre q samp small span
strike strong style sub sup table td tr tbody textarea tfoot th thead tt u ul/];

my $tags = { map { $_ => 1 } @$allowed };

$html =~ s,(<\s*(/?\s*([\w!]+)\s*([^>]*?))>),
if ($tags->{$3}) { "\[tag\]$2\[/tag\]" }
else { "&lt; $2 &gt;" }
,iegs;

$html =~ s,<,&lt;,sg;
$html =~ s,>,&gt;,sg;

$html =~ s,\[tag\],<,sg;
$html =~ s,\[/tag\],>,sg;
return $html;
}

Philip
------------------
Limecat is not pleased.
Quote Reply
Re: [fuzzy logic] Security risk? HTML code in Description field In reply to
Looks like just what is needed, how do I use this global?
Quote Reply
Re: [jgkiefer] Security risk? HTML code in Description field In reply to
Hi,

Just create a new global, with the name "strip_html_tags", and then put the following in it;

Code:
sub {
my $html = shift;

my $allowed = [qw/a address b big blockquote br center cite code dd dfn div dl dt em font form
hr h1 h2 h3 h4 h5 h6 i img input li nobr noscript ol p pre q samp small span
strike strong style sub sup table td tr tbody textarea tfoot th thead tt u ul/];

my $tags = { map { $_ => 1 } @$allowed };

$html =~ s,(<\s*(/?\s*([\w!]+)\s*([^>]*?))>),
if ($tags->{$3}) { "\[tag\]$2\[/tag\]" }
else { "&lt; $2 &gt;" }
,iegs;

$html =~ s,<,&lt;,sg;
$html =~ s,>,&gt;,sg;

$html =~ s,\[tag\],<,sg;
$html =~ s,\[/tag\],>,sg;
return $html;
}

..then call with <%strip_html_tags($Description)%>

BTW, nice routine Philip Smile

Cheers

Andy (mod)
andy@ultranerds.co.uk
Want to give me something back for my help? Please see my Amazon Wish List
GLinks ULTRA Package | GLinks ULTRA Package PRO
Links SQL Plugins | Website Design and SEO | UltraNerds | ULTRAGLobals Plugin | Pre-Made Template Sets | FREE GLinks Plugins!
Quote Reply
Re: [Andy] Security risk? HTML code in Description field In reply to
Can I take out other HTML tags that I want to disallow by removing them from this code?
Code:
my $allowed = [qw/a address b big blockquote br center cite code dd dfn div dl dt em font form
hr h1 h2 h3 h4 h5 h6 i img input li nobr noscript ol p pre q samp small span
strike strong style sub sup table td tr tbody textarea tfoot th thead tt u ul/];

BTW- Philip did some nice coding too! Cool

Quote Reply
Re: [jgkiefer] Security risk? HTML code in Description field In reply to
Quote:
Can I take out other HTML tags that I want to disallow by removing them from this code?

I guess so :)

Cheers

Andy (mod)
andy@ultranerds.co.uk
Want to give me something back for my help? Please see my Amazon Wish List
GLinks ULTRA Package | GLinks ULTRA Package PRO
Links SQL Plugins | Website Design and SEO | UltraNerds | ULTRAGLobals Plugin | Pre-Made Template Sets | FREE GLinks Plugins!
Quote Reply
Re: [Andy] Security risk? HTML code in Description field In reply to
Yes, just remove anything you don't want allowed. Glad you both like the code ;-)

Philip
------------------
Limecat is not pleased.
Quote Reply
Re: [mrrob] Security risk? HTML code in Description field In reply to
You may also want to take a look at the HTML::BBCode module on CPAN:

http://search.cpan.org/...1/lib/HTML/BBCode.pm

Last edited by:

xev: Jul 8, 2005, 7:37 AM
Quote Reply
Re: [fuzzy logic] Security risk? HTML code in Description field In reply to
I have discovered that the html tags
Code:
my $allowed = [qw/a address b big blockquote br center cite code dd dfn div dl dt em font form
hr h1 h2 h3 h4 h5 h6 i img input li nobr noscript ol p pre q samp small span
strike strong style sub sup table td tr tbody textarea tfoot th thead tt u ul/];

Are all case sensitive. Is there an easy way around this without having to duplicate the tags?
my $allowed = [qw/a A address ADDRESS b B etc....
Quote Reply
Re: [jgkiefer] Security risk? HTML code in Description field In reply to
how in the world did I miss that?!!

try changing
Code:
if ($tags->{$3}) { "\[tag\]$2\[/tag\]" }

to
Code:
if ($tags->{lc $3}) { "\[tag\]$2\[/tag\]" }

Philip
------------------
Limecat is not pleased.
Quote Reply
Re: [fuzzy logic] Security risk? HTML code in Description field In reply to
Works great, thanks! Wink