HTML in posts

[JPortal]

Pondering how I would go about making phpBB use WYSIWYG forms, I thought of a few security/cosmetic issues related to HTML in posts. I don't think any of these have been fixed in 2.1.2 or 2.0.x

Javascript
Honestly, I don't see why this issue hasn't been addressed (it hasn't, has it?). Just do a simple (or many simple) preg_replace()'s of all JS code in posts, before posting. Remove <script*>*</script> and onaction="" in HTML.
I personally made a script that removes Javascript. One problem I ran into was that you could still use Javascript if you posted this:

Code: Select all

<b onclionclick=""ck="do_something_malicious();"></b>

And similar stuff can be done. The answer of course is simple, just do this:

Code: Select all

while (javascript_found())
{
  remove_it();
}

Breaking out of HTML flow
People can put single </td> tags in their posts and break out of the page flow. Using the current BBcode system already in place (or being put in place as we speak...) phpBB should do an html_first_pass before posting, and an html_second_pass afterwards, to only output tags if two are found (<td></td>)

Allowed tags
I personally think this should be replaced with a list of DISALLOWED tags. To me it seems the current system only exists so people can't use </td> tags at all (unless allowed), but it's really just a quick 'n dirty fix that doesn't actually solve anything. Thinking ahead, it would also make WYSIWYG a major pain, because you would end up having a huge list of allowed tags. More practical to just have disallowed tags.

My two cents I want to know what other people think too.

[olger901]

This board is a sort of pre-alpha CVS testing board and is NOT bug free which means that issues will arise also possible security issues of most the developpers are aware.

[Roberdin]

Disable HTML. Easy.

[JPortal]

Disable HTML. Easy.

That's a major cop-out. Rather than make a feature easy to configure and secure, you just disable it?

[Ptirhiik_]

It is the best option : bbCode are here to secure any html design. Willing to use html in post is just like wanting to dig security holes, and there are nothing you could to prevent this until doing what is done with bbCode.

[Martin Blank]

I personally think this should be replaced with a list of DISALLOWED tags. To me it seems the current system only exists so people can't use </td> tags at all (unless allowed), but it's really just a quick 'n dirty fix that doesn't actually solve anything.

All other things being equal, simplicity rules in security. Think of a firewall: You can prevent access to all ports that you don't want access to, or you can block everything except those you want specifically allowed. The latter approach is by far the more common.

There are dozens (hundreds?) of HTML tags, and it's far easier to allow those you like and block everything else. For a handful, this means more work, but it's better for the majority.

[Roberdin]

Disable HTML. Easy.

That's a major cop-out. Rather than make a feature easy to configure and secure, you just disable it?

Allowing HTML is not a feature, it's more of a voluntary security hole. There's no need to enable HTML, you can just create custom BBCode.

[JPortal]

I personally think this should be replaced with a list of DISALLOWED tags. To me it seems the current system only exists so people can't use </td> tags at all (unless allowed), but it's really just a quick 'n dirty fix that doesn't actually solve anything.

All other things being equal, simplicity rules in security. Think of a firewall: You can prevent access to all ports that you don't want access to, or you can block everything except those you want specifically allowed. The latter approach is by far the more common.

There are dozens (hundreds?) of HTML tags, and it's far easier to allow those you like and block everything else. For a handful, this means more work, but it's better for the majority.

Well, there should be both then, IMO. "allowed_html" and "disallowed_html", and one takes precendence over the other depending on another config setting.

I'm just trying to think ahead - WYSIWYG has been in other forum software for a long time, and phpBB continues to lag behind. Even if phpBB doesn't come with WYSIWYG by default, the developers at least need to be considerate of what the modders will eventually have to do.

[Martin Blank]

They're working to make a secure, stable board. They have no obligation to make it easy to modify. They could make it easier (some of the code comments aren't always easy to follow, and some code could be a little better commented, but I'm worse than they are at it, so I shall now pipe down on the topic) but in doing so, they may open the way for other vulnerabilities to be dropped in. Security is more important than glitz.

[Graham]

As the others have said, the aim of the developers is stable and secure code. In the view of most people, blocking all but the required tags is much more secure and when you have the ability to create custom BBCode in the admin panel to provide "safe" access to whatever output tags you want, there really is very little need for what you are asking for.