Gossamer Forum: Products: Gossamer Links: Discussions: Security risk? HTML code in Description field

May 10, 2005, 11:29 PM

mrrob

Novice (32 posts)

May 10, 2005, 11:29 PM

Post #1 of 14

Shortcut

Security risk? HTML code in Description field

Hi,

I noticed that by default it is possible to enter html code in the link description field, and that this doesn't get escaped out when the category/detailed pages are generated.

Is this a security risk? I'm thinking of things like cross site scripting etc (although I'm no expert on these things - so wanted to get advice from the community)

(Note - I actually want my editors to be able to "bold" text and add "urls" to the description field and a couple of other text fields I have created - but I'm a bit worried about the potential for abuse)

Cheers,

Rob

May 10, 2005, 11:34 PM

brewt

Staff (4101 posts)

May 10, 2005, 11:34 PM

Post #2 of 14

Shortcut

Re: [mrrob] Security risk? HTML code in Description field In reply to

Yes it can be a security risk, you should really check all the submitted fields for html or any malicious code when validating links (another reason why allowing links to be added in directly is a bad idea).

An idea for version 4 would be to add a custom markup like in GForum.

Adrian

May 11, 2005, 10:10 AM

pugdog

Veteran / Moderator (6956 posts)

May 11, 2005, 10:10 AM

Post #3 of 14

Shortcut

Re: [brewt] Security risk? HTML code in Description field In reply to

Is there a way to hook up a module, or call, that would run the description output through a filter, to strip out html, pending the addition of the full mark up module?

The link is processed several times, maybe a filter in the site_html_link routine?

PUGDOG� Enterprises, Inc.

The best way to contact me is to NOT use Email.
Please leave a PM here.

May 12, 2005, 6:38 AM

mrrob

Novice (32 posts)

May 12, 2005, 6:38 AM

Post #4 of 14

Shortcut

Re: [brewt] Security risk? HTML code in Description field In reply to

Ok, this was my solution. Remember I'm no programmer or security expert - my goal was to stop users/editors entering suspicious html code in one of my text fields, but still allow then to use basic formatting such as bold and italic, and add links to other web pages.

I created a global which strips out suspicious characters ( see http://www.cgisecurity.com/...xss-faq.shtml#vendor) and then converts a limited number of special markup tags to their html equivalent - bold, italic and url. The markup tags are the same as the ones used in Gossamer Forum except url, which also enclose the url in single quotes. I can't work out how to show these because Gossamer Forum keeps stripping htem out.

Anyway, here's the global "longdesc_formatted" which gets called from the detailed page template ie. <%longdesc_formatted%>. In the global below LongDesc is an extended text field that editors are allowed to enter extra information and use the markup tags described above.

Code:

sub {  
    my $tags = shift;  
    my $description = $tags->{LongDesc};  
# replace suspect characters  
    $description =~ s/&/&amp\;/g;  
    $description =~ s/</&lt\;/g;  
    $description =~ s/>/&gt\;/g;  
    $description =~ s/"/&quot\;/g;  
    $description =~ s/#/&#35\;/g;  
    $description =~ s/\(/&#40\;/g;  
    $description =~ s/\(/&#41\;/g;  
# convert new lines to line break tags  
    $description =~ s/\n/<BR>\n/g;  
# convert bold tags  
    $description =~ s/\[b\]/<b>/g;  
    $description =~ s/\[\/b\]/<\/b>/g;  
# convert italic tags  
    $description =~ s/\[i\]/<i>/g;  
    $description =~ s/\[\/i\]/<\/i>/g;  
# convert url tags  
    $description =~ s/\[url='(http.+)'\]/<a href="$1" rel="nofollow" target="_blank">/g;  
    $description =~ s/\[\/url\]/<\/a>/g;  
    return $description;   
}

Any feedback gladly received.

Robert

May 12, 2005, 7:42 AM

fuzzy logic

Enthusiast (854 posts)

May 12, 2005, 7:42 AM

Post #5 of 14

Shortcut

Re: [mrrob] Security risk? HTML code in Description field In reply to

Here is what I'm using for my blogger. It's not the best out there, but it does what I want it to: allow listed tags, but also escape all others.

Code:
sub strip_bad_html { 
  my $html = shift; 

  my $allowed = [qw/a address b big blockquote br center cite code dd dfn div dl dt em font form 
                    hr h1 h2 h3 h4 h5 h6 i img input li nobr noscript ol p pre q samp small span 
                    strike strong style sub sup table td tr tbody textarea tfoot th thead tt u ul/]; 

  my $tags = { map { $_ => 1 } @$allowed }; 

  $html =~ s,(<\s*(/?\s*([\w!]+)\s*([^>]*?))>),  
                                               if   ($tags->{$3}) { "\[tag\]$2\[/tag\]" } 
                                               else               { "&lt; $2 &gt;" } 
                                              ,iegs; 

  $html =~ s,<,&lt;,sg; 
  $html =~ s,>,&gt;,sg; 

  $html =~ s,\[tag\],<,sg; 
  $html =~ s,\[/tag\],>,sg; 
  return $html; 
}

Philip
------------------
Limecat is not pleased.

Jul 1, 2005, 7:10 AM

jgkiefer

User (376 posts)

Jul 1, 2005, 7:10 AM

Post #6 of 14

Shortcut

Re: [fuzzy logic] Security risk? HTML code in Description field In reply to

Looks like just what is needed, how do I use this global?

Jul 1, 2005, 9:31 AM

Andy

Veteran / Moderator (18441 posts)

Jul 1, 2005, 9:31 AM

Post #7 of 14

Shortcut

Re: [jgkiefer] Security risk? HTML code in Description field In reply to

Hi,

Just create a new global, with the name "strip_html_tags", and then put the following in it;

Code:
sub {  
  my $html = shift;  

  my $allowed = [qw/a address b big blockquote br center cite code dd dfn div dl dt em font form  
                    hr h1 h2 h3 h4 h5 h6 i img input li nobr noscript ol p pre q samp small span  
                    strike strong style sub sup table td tr tbody textarea tfoot th thead tt u ul/];  

  my $tags = { map { $_ => 1 } @$allowed };  

  $html =~ s,(<\s*(/?\s*([\w!]+)\s*([^>]*?))>),   
                                               if   ($tags->{$3}) { "\[tag\]$2\[/tag\]" }  
                                               else               { "&lt; $2 &gt;" }  
                                              ,iegs;  

  $html =~ s,<,&lt;,sg;  
  $html =~ s,>,&gt;,sg;  

  $html =~ s,\[tag\],<,sg;  
  $html =~ s,\[/tag\],>,sg;  
  return $html;  
}

..then call with <%strip_html_tags($Description)%>

BTW, nice routine Philip Smile

Cheers

Andy (mod)
andy@ultranerds.co.uk

Jul 1, 2005, 9:48 AM

jgkiefer

User (376 posts)

Jul 1, 2005, 9:48 AM

Post #8 of 14

Shortcut

Re: [Andy] Security risk? HTML code in Description field In reply to

Can I take out other HTML tags that I want to disallow by removing them from this code?

Code:
my $allowed = [qw/a address b big blockquote br center cite code dd dfn div dl dt em font form   
                     hr h1 h2 h3 h4 h5 h6 i img input li nobr noscript ol p pre q samp small span   
                     strike strong style sub sup table td tr tbody textarea tfoot th thead tt u ul/];

BTW- Philip did some nice coding too! Cool

Jul 1, 2005, 9:49 AM

Andy

Veteran / Moderator (18441 posts)

Jul 1, 2005, 9:49 AM

Post #9 of 14

Shortcut

Re: [jgkiefer] Security risk? HTML code in Description field In reply to

Quote:

Can I take out other HTML tags that I want to disallow by removing them from this code?

I guess so :)

Cheers

Andy (mod)
andy@ultranerds.co.uk

Jul 1, 2005, 8:30 PM

fuzzy logic

Enthusiast (854 posts)

Jul 1, 2005, 8:30 PM

Post #10 of 14

Shortcut

Re: [Andy] Security risk? HTML code in Description field In reply to

Yes, just remove anything you don't want allowed. Glad you both like the code ;-)

Philip
------------------
Limecat is not pleased.

Jul 8, 2005, 7:36 AM

xev

User (59 posts)

Jul 8, 2005, 7:36 AM

Post #11 of 14

Shortcut

Re: [mrrob] Security risk? HTML code in Description field In reply to

You may also want to take a look at the HTML::BBCode module on CPAN:

http://search.cpan.org/...1/lib/HTML/BBCode.pm

Last edited by:

xev: Jul 8, 2005, 7:37 AM

Jul 9, 2005, 7:22 PM

jgkiefer

User (376 posts)

Jul 9, 2005, 7:22 PM

Post #12 of 14

Shortcut

Re: [fuzzy logic] Security risk? HTML code in Description field In reply to

I have discovered that the html tags

Code:
  my $allowed = [qw/a address b big blockquote br center cite code dd dfn div dl dt em font form  
                    hr h1 h2 h3 h4 h5 h6 i img input li nobr noscript ol p pre q samp small span  
                    strike strong style sub sup table td tr tbody textarea tfoot th thead tt u ul/];

Are all case sensitive. Is there an easy way around this without having to duplicate the tags?
my $allowed = [qw/a A address ADDRESS b B etc....

Jul 9, 2005, 9:11 PM

fuzzy logic

Enthusiast (854 posts)

Jul 9, 2005, 9:11 PM

Post #13 of 14

Shortcut

Re: [jgkiefer] Security risk? HTML code in Description field In reply to

how in the world did I miss that?!!

try changing

Code:
                                               if   ($tags->{$3}) { "\[tag\]$2\[/tag\]" }

Code:
                                               if   ($tags->{lc $3}) { "\[tag\]$2\[/tag\]" }

Philip
------------------
Limecat is not pleased.

Jul 10, 2005, 8:16 AM

jgkiefer

User (376 posts)

Jul 10, 2005, 8:16 AM

Post #14 of 14

Shortcut

Re: [fuzzy logic] Security risk? HTML code in Description field In reply to

Works great, thanks! Wink