grimpirate

Working on GrimBB I've learned a couple of interesting things. One, designing a forum is a lot of work lol. Two, after being hacked by one Mr. B9 (who is now helping me safeguard GrimBB, ironic isn't it?) password hacking wasn't the only thing I had to worry about. He pointed out XSS which is cross site scripting. Basically it means people putting javascript into their posts in creative ways. You would think that searching for the <script> tag would take care of that, but sadly no. There are a variety of ways of getting javascript into posts. Lots of boards like this one use their own tags enclosed in brackets to prevent the usage of HTML tags of any sort. I didn't much care for that approach, I wanted people to be able to use certain HTML tags without having to create new ones. So here was my solution (in conceptual form) to XSS attacks.

The checkPost function in my code does a great number of things, but the 4 most important are:

1. Checks for certain HTML tags which are just not allowed
2. Checks for all javascript event triggers that start with the word on such as onMouseDown, onClick, etc.
3. Checks for a '(' within any < > denoting a tag
4. Checks for '&#' within any < > denoting a tag

The last two are to prevent javascript methods from being inserted into HTML tags, and to prevent hackers from using the HTML character entity approach to create the same type of functions. These 4 ways seem to safeguard pretty effectively against XSS. I'm sure there are more ways, but I need them to be pointed out so that I can counter them. Any help is appreciated. If you want to check out the actual code (it's in PHP) just check out my homepage as it's the link to GrimBB

__________________
Lo, there do I see my father. 'Lo, there do I see My mother, and my sisters, and my brothers. 'Lo, there do I see The line of my people... Back to the beginning. 'Lo, they do call to me. They bid me take my place among them. In the halls of Valhalla... Where the brave... May live... ...forever.. GrimBB | Mimesis

Arevos

Personally, I prefer using an external library when I need to tight security. I prefer the "many eyes" approach over security through obscurity, so I usually look around on Google for a popular solution before rolling my own. The theory is that any well-used library will have relatively few vulnerabilities, as otherwise people wouldn't use it

The blurb for the HTML Purifier seems particularly impressive. If I were going to design a similar library, I'd probably go for the deconstruction/reconstruction approach too, though I'm quite impressed that they're actually using the HTML DTD and not just verifying over a strict XML schema or something.