Programming Forums

Programming Forums (http://www.programmingforums.org/forumindex.php)
-   Other Web Development Languages (http://www.programmingforums.org/forum40.html)
-   -   XSS Handling (http://www.programmingforums.org/showthread.php?t=11968)

grimpirate Nov 21st, 2006 4:08 PM
XSS Handling
 
Working on GrimBB I've learned a couple of interesting things. One, designing a forum is a lot of work lol. Two, after being hacked by one Mr. B9 (who is now helping me safeguard GrimBB, ironic isn't it?) password hacking wasn't the only thing I had to worry about. He pointed out XSS which is cross site scripting. Basically it means people putting javascript into their posts in creative ways. You would think that searching for the <script> tag would take care of that, but sadly no. There are a variety of ways of getting javascript into posts. Lots of boards like this one use their own tags enclosed in brackets to prevent the usage of HTML tags of any sort. I didn't much care for that approach, I wanted people to be able to use certain HTML tags without having to create new ones. So here was my solution (in conceptual form) to XSS attacks.

The checkPost function in my code does a great number of things, but the 4 most important are:
  1. Checks for certain HTML tags which are just not allowed
  2. Checks for all javascript event triggers that start with the word on such as onMouseDown, onClick, etc.
  3. Checks for a '(' within any < > denoting a tag
  4. Checks for '&#' within any < > denoting a tag
The last two are to prevent javascript methods from being inserted into HTML tags, and to prevent hackers from using the HTML character entity approach to create the same type of functions. These 4 ways seem to safeguard pretty effectively against XSS. I'm sure there are more ways, but I need them to be pointed out so that I can counter them. Any help is appreciated. If you want to check out the actual code (it's in PHP) just check out my homepage as it's the link to GrimBB

Arevos Nov 21st, 2006 4:56 PM
Personally, I prefer using an external library when I need to tight security. I prefer the "many eyes" approach over security through obscurity, so I usually look around on Google for a popular solution before rolling my own. The theory is that any well-used library will have relatively few vulnerabilities, as otherwise people wouldn't use it :)

The blurb for the HTML Purifier seems particularly impressive. If I were going to design a similar library, I'd probably go for the deconstruction/reconstruction approach too, though I'm quite impressed that they're actually using the HTML DTD and not just verifying over a strict XML schema or something.


All times are GMT -5. The time now is 1:26 AM.

Powered by vBulletin® Version 3.7.0, Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
Copyright ©2007 DaniWeb® LLC