HTML in posts

Discussion of general topics related to the new version and its place in the world. Don't discuss new features, report bugs, ask for support, et cetera. Don't use this to spam for other boards or attack those boards!
Forum rules
Discussion of general topics related to the new release and its place in the world. Don't discuss new features, report bugs, ask for support, et cetera. Don't use this to spam for other boards or attack those boards!
JPortal
Registered User
Posts: 117
Joined: Sun Nov 28, 2004 10:42 pm

HTML in posts

Post by JPortal »

Pondering how I would go about making phpBB use WYSIWYG forms, I thought of a few security/cosmetic issues related to HTML in posts. I don't think any of these have been fixed in 2.1.2 or 2.0.x

Javascript
Honestly, I don't see why this issue hasn't been addressed (it hasn't, has it?). Just do a simple (or many simple) preg_replace()'s of all JS code in posts, before posting. Remove <script*>*</script> and onaction="" in HTML.
I personally made a script that removes Javascript. One problem I ran into was that you could still use Javascript if you posted this:

Code: Select all

<b onclionclick=""ck="do_something_malicious();"></b>
And similar stuff can be done. The answer of course is simple, just do this:

Code: Select all

while (javascript_found())
{
  remove_it();
}
Breaking out of HTML flow
People can put single </td> tags in their posts and break out of the page flow. Using the current BBcode system already in place (or being put in place as we speak...) phpBB should do an html_first_pass before posting, and an html_second_pass afterwards, to only output tags if two are found (<td></td>)

Allowed tags
I personally think this should be replaced with a list of DISALLOWED tags. To me it seems the current system only exists so people can't use </td> tags at all (unless allowed), but it's really just a quick 'n dirty fix that doesn't actually solve anything. Thinking ahead, it would also make WYSIWYG a major pain, because you would end up having a huge list of allowed tags. More practical to just have disallowed tags.

My two cents :P I want to know what other people think too.
User avatar
olger901
Registered User
Posts: 536
Joined: Tue May 11, 2004 4:57 pm

Re: HTML in posts

Post by olger901 »

This board is a sort of pre-alpha CVS testing board and is NOT bug free which means that issues will arise also possible security issues of most the developpers are aware.
-
Roberdin
Registered User
Posts: 1546
Joined: Wed Apr 09, 2003 8:44 pm
Location: London, United Kingdom

Re: HTML in posts

Post by Roberdin »

Disable HTML. Easy.
Rob
JPortal
Registered User
Posts: 117
Joined: Sun Nov 28, 2004 10:42 pm

Re: HTML in posts

Post by JPortal »

Roberdin wrote:Disable HTML. Easy.
That's a major cop-out. Rather than make a feature easy to configure and secure, you just disable it?
User avatar
Ptirhiik_
Registered User
Posts: 526
Joined: Tue Nov 18, 2003 8:35 am

Re: HTML in posts

Post by Ptirhiik_ »

It is the best option : bbCode are here to secure any html design. Willing to use html in post is just like wanting to dig security holes, and there are nothing you could to prevent this until doing what is done with bbCode.
Martin Blank
Registered User
Posts: 687
Joined: Sun May 11, 2003 11:17 am

Re: HTML in posts

Post by Martin Blank »

JPortal wrote:I personally think this should be replaced with a list of DISALLOWED tags. To me it seems the current system only exists so people can't use </td> tags at all (unless allowed), but it's really just a quick 'n dirty fix that doesn't actually solve anything.
All other things being equal, simplicity rules in security. Think of a firewall: You can prevent access to all ports that you don't want access to, or you can block everything except those you want specifically allowed. The latter approach is by far the more common.

There are dozens (hundreds?) of HTML tags, and it's far easier to allow those you like and block everything else. For a handful, this means more work, but it's better for the majority.
You can never go home again... but I guess you can shop there.
Roberdin
Registered User
Posts: 1546
Joined: Wed Apr 09, 2003 8:44 pm
Location: London, United Kingdom

Re: HTML in posts

Post by Roberdin »

JPortal wrote:
Roberdin wrote:Disable HTML. Easy.
That's a major cop-out. Rather than make a feature easy to configure and secure, you just disable it?
Allowing HTML is not a feature, it's more of a voluntary security hole. There's no need to enable HTML, you can just create custom BBCode.
Rob
JPortal
Registered User
Posts: 117
Joined: Sun Nov 28, 2004 10:42 pm

Re: HTML in posts

Post by JPortal »

Martin Blank wrote:
JPortal wrote:I personally think this should be replaced with a list of DISALLOWED tags. To me it seems the current system only exists so people can't use </td> tags at all (unless allowed), but it's really just a quick 'n dirty fix that doesn't actually solve anything.
All other things being equal, simplicity rules in security. Think of a firewall: You can prevent access to all ports that you don't want access to, or you can block everything except those you want specifically allowed. The latter approach is by far the more common.

There are dozens (hundreds?) of HTML tags, and it's far easier to allow those you like and block everything else. For a handful, this means more work, but it's better for the majority.
Well, there should be both then, IMO. "allowed_html" and "disallowed_html", and one takes precendence over the other depending on another config setting.

I'm just trying to think ahead - WYSIWYG has been in other forum software for a long time, and phpBB continues to lag behind. Even if phpBB doesn't come with WYSIWYG by default, the developers at least need to be considerate of what the modders will eventually have to do.
Martin Blank
Registered User
Posts: 687
Joined: Sun May 11, 2003 11:17 am

Re: HTML in posts

Post by Martin Blank »

They're working to make a secure, stable board. They have no obligation to make it easy to modify. They could make it easier (some of the code comments aren't always easy to follow, and some code could be a little better commented, but I'm worse than they are at it, so I shall now pipe down on the topic) but in doing so, they may open the way for other vulnerabilities to be dropped in. Security is more important than glitz.
You can never go home again... but I guess you can shop there.
Graham
Registered User
Posts: 1304
Joined: Tue Mar 19, 2002 7:11 pm
Location: UK

Re: HTML in posts

Post by Graham »

As the others have said, the aim of the developers is stable and secure code. In the view of most people, blocking all but the required tags is much more secure and when you have the ability to create custom BBCode in the admin panel to provide "safe" access to whatever output tags you want, there really is very little need for what you are asking for.
"So Long, and Thanks for All the Fish"

Graham
Eeek, a blog!
Post Reply