NYCPHP Meetup

NYPHP.org

[nycphp-talk] sanitizing user-submitted html

James Wetterau james at surgam.net
Sat May 31 01:57:02 EDT 2003 

Chris Snyder says:
> James Wetterau wrote:
>
> >This submission breaks it:
> >
> >Strips some attibutes:<br>
> ><img src='http://fotola.com/berylium/csnyder/?method=latestimage'
> >onmouseover='whatever(whatever="onmouseover='
> >alert("gotcha");
> >alert("I can do anything in here");
> >'/>
> >
> >
> >
> Not anymore. Two things happened there-- I needed to create separate
> patterns for attributes delimited with " and with ', and I didn't
> realize that the dot wasn't matching newline chars. Fixed both of those,
> and thanks for the shakedown!!

I can now break it with this input:         

Strips some attibutes:<br />
<img src='http://fotola.com/berylium/csnyder/?method=latestimage'
onmouseover=onmouseover='alert("gotcha")''alert("gotcha");
alert("I can also do multiple lines!");' title='a photo' />
<blink>blink!</blink>
<b>adds <b>closing</b> tags if necessary.

...
> I took a crash course in state machines this evening via Google, and I
> must admit that I have no idea what this problem would like if modeled
> as one. It's true that I would be happier with mathematical proof that
> the routine was unexploitable, but anecdotal proof will be enough for me
> to allow HTML posts in non-critical applications. Thanks again for
...

My pleasure, and thank you for putting your code out there for review.
I think it's a good lesson to see how hard it is to sanitize user input, even
starting with a lot of initial cleverness. 

I think at minimum you need to loop over the resulting output to
verify that you haven't transformed your input into an output which
still triggers your conditions for requiring modification.

One thing you might want to do is add extraneous spaces around things
you've expunged, which might prevent parts from joining together around
an expunged piece.  This should generally be ok, because most legitimate
HTML shouldn't care about whitespaces.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20030530/d0d912cd/attachment.html>

More information about the talk mailing list