Working on GrimBB I've learned a couple of interesting things. One, designing a forum is a lot of work lol. Two, after being hacked by one Mr. B9 (who is now helping me safeguard GrimBB, ironic isn't it?) password hacking wasn't the only thing I had to worry about. He pointed out XSS which is cross site scripting. Basically it means people putting javascript into their posts in creative ways. You would think that searching for the <script> tag would take care of that, but sadly no. There are a variety of ways of getting javascript into posts. Lots of boards like this one use their own tags enclosed in brackets to prevent the usage of HTML tags of any sort. I didn't much care for that approach, I wanted people to be able to use certain HTML tags without having to create new ones. So here was my solution (in conceptual form) to XSS attacks.
The checkPost function in my code does a great number of things, but the 4 most important are:
- Checks for certain HTML tags which are just not allowed
- Checks for all javascript event triggers that start with the word on such as onMouseDown, onClick, etc.
- Checks for a '(' within any < > denoting a tag
- Checks for '&#' within any < > denoting a tag
The last two are to prevent javascript methods from being inserted into HTML tags, and to prevent hackers from using the HTML character entity approach to create the same type of functions. These 4 ways seem to safeguard pretty effectively against XSS. I'm sure there are more ways, but I need them to be pointed out so that I can counter them. Any help is appreciated. If you want to check out the actual code (it's in PHP) just check out my homepage as it's the link to GrimBB