...
PDA

View Full Version : Resolved Help with regex and question!

[vengeance]
09-02-2009, 01:40 PM
Hello.

I'm coding a form where people can post whatever they want to - HTML is allowed! However there are these simple META HTML redirects, which I want to block.

So I store the posted information in a variable called $postContent. And then I want to check with a regular expression whether if the user posted something along with:

<META HTTP-EQUIV=Refresh CONTENT="2; URL=http://badwebsite.com">

I'm not really familiar with regular expressions, so any help/explanation of code is appreciated.

And my question is - is there any other harmful codes written in HTML, that I should be aware of?

I know allowing everyone to do HTML isn't that great of an idea, but I want/need it to be that way.
funnymoney
09-02-2009, 01:55 PM
;860725']And my question is - is there any other harmful codes written in HTML, that I should be aware of?

I'm not in the mood to write regex right now, but as for other question...

Javascript! If you allow HTML then you probably allow someone to write Javascript to your website and that is dangerous!

Study on XSS (http://en.wikipedia.org/wiki/Cross-site_scripting).
[vengeance]
09-02-2009, 02:01 PM
Oh yeah, right. I totally forgot about JavaScript/XSS. :x

So would blocking JavaScript be an option, or is there too many alternatives on how to attack a website, when HTML writing is allowed?
funnymoney
09-02-2009, 02:12 PM
;860736']So would blocking JavaScript be an option, or is there too many alternatives on how to attack a website, when HTML writing is allowed?

i think myspace allows html to be written directly to website, and it's still working. :)

you need to check usual vulnerabilities like MySQL injections, execution of PHP code, malicious HTML like that <meta redirect you noted, and of course Javascript XSS possibilities.

personally i wouldn't use HTML but plain good ol' bbcode, but even if you allow html you can make secure website, just with a lot more planning before.
[vengeance]
09-02-2009, 02:21 PM
I personally don't want to use BBCodes - at least not for this feature.

But again - all that you mentioned, wouldn't it just simply be regex checks and then error message if any of the strings are found?

Like <meta, <script, etc.?
funnymoney
09-02-2009, 02:25 PM
yes it should be enough, although i read about javascript that there are other ways to execute it on website, by bypassing the use of <script> tags. i'm not 100% sure about that
[vengeance]
09-02-2009, 03:59 PM
Thanks for your reply.

I found something much more efficient and simple to use.

http://pear.php.net/package/HTML_Safe

EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum