Package home | Report new bug | New search | Development Roadmap Status: Open | Feedback | All | Closed Since Version 1.2.4

Bug #1512 URL Tags Allow Javascript injection
Submitted: 2004-05-27 02:51 UTC Modified: 2007-07-02 13:30 UTC
From: hfuecks Assigned: cweiske
Status: Closed Package: HTML_BBCodeParser
PHP Version: Irrelevant OS: Any
Roadmaps: (Not assigned)    
Subscription  


 [2004-05-27 02:51 UTC] hfuecks
Description: ------------ The [url /] tag allows Javascript injection, for example; [url=javascript:location.replace("http://www.google.com/search?q="+document.domain);]Click here[/url] Realise that this may be expected behaviour - some users will want to allow Javascript - but believe the majority expect a BBCode parser to sanitize everything a user submits and will not add further logic to remove Javascript. Recommand stripping anything that looks like Javascript in [url/] tags and possibily validating URLs. Perhaps both could be controlled by configuration settings.

Comments

 [2005-09-26 21:20 UTC] seth at pricepages dot org
I've created a new version of the filter Links.php that fixes Bugs #1388, #1512, #1755, and #3932. It also adds a few extra things, such as a list of accepted schemes, adding a trailing slash to the url where appropriate, and removing trailing whitespace from the file. Please bang on it and tell me what you think and send me a testcase/patch if something breaks. Like everyone here, I'd like this to be bulletproof. Maybe once the maintainer comes out of hibernation we can get this into the main tree. One thing that could be fixed is matching anything not "[url]" or "[url=" brackets in the first preparse regexp. I'm not sure the best regular expression there. Here is a link to the updated class: http://pricepages.org/bbcode/Link.php.zip
 [2005-09-27 08:43 UTC] seth at pricepages dot org
 [2005-10-20 16:55 UTC] seth at pricepages dot org
I've fixed this bug and a number of others. Please take a look if you can, because I'd expect there to be new bugs in a rewrite of this size. (I'd call it version 2.0-beta) Link: http://pricepages.org/bbcode/BBCodeParser.zip * Unit tests! * More currently open bugs that have been fixed: 5609 4844 3447 1979 373 2580 3775 * I rewrote the _buildTagArray() function. It had been using half of the execution time in my tests. A TODO: in the comments said "rewrite this function". It is now almost 2x faster than the original function in my informal tests. * I rewrote _validateTagArray() in an effort to make it more useful and faster. Mission accomplished. It would be easier to read, too, but there is quite a bit more going on there. But commenting lines probably equal code lines. * Output should _always_ be XHTML 1.1 compatible. * Per discussion on the Developer list, you can now pass a flag that determines the action on an error or warning during parsing. Actions include: correcting the problem, aborting parsing, ignoring the invalid tag, and deleting the invalid tag. Examples: If you only accept valid input, set both warn and error to 'abort' and parsing will be aborted as soon as a problem is found. If you accept invalid feedback, but want to give the user feedback which tags caused problems, then set both error and warn to 'ignore' and the bad tags will be displayed. If you want to make the output as pretty as possible, then you want to auto correct when you can and delete when you can't. Set the options to delete on error, and correct on warn. (There are twelve combinations to fit various situations.) * I've attempted to maximize BC, but here are the only ways in which BC is broken (to my knowledge): Custom list numbering is now ignored for XHTML 1.1 reasons. I reverted back to single quotes by default. HTML is now automatically escaped to fix a few "bugs" (I believe that Text_Wiki also automatically escapes HTML). Old filters are incompatible with the new filters (the 'allowed' tag variable has been replaced with a more powerful set of variables and they use a different format). ~Seth
 [2006-07-06 13:36 UTC] rather at not dot com (Jafo)
Could you post a link to the updated link class that works?
 [2007-03-08 05:40 UTC] joey
it's better to comment on an existing bug entry (even if it's an old one), rather then reating a new one. I've noticed I can inject javascript with the color tag also. [color=white'onmouseover='javascript:alert(1);]white[/color] I'm using version 1.1 of the BBparser
 [2007-07-02 13:30 UTC] cweiske (Christian Weiske)
This bug has been fixed in CVS. If this was a documentation problem, the fix will appear on pear.php.net by the end of next Sunday (CET). If this was a problem with the pear.php.net website, the change should be live shortly. Otherwise, the fix will appear in the package's next release. Thank you for the report and for helping us make PEAR better.
 [2009-06-12 12:45 UTC] User who submitted this comment has not confirmed identity
If you submitted this note, check your email.If you do not have a message, click here to re-send
MANUAL CONFIRMATION IS NOT POSSIBLE.  Write a message to pear-dev@lists.php.net
to request the confirmation link.  All bugs/comments/patches associated with this

email address will be deleted within 48 hours if the account request is not confirmed!