Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 7 of 7
  1. #1
    Regular Coder
    Join Date
    Aug 2009
    Posts
    131
    Thanks
    28
    Thanked 7 Times in 7 Posts

    Help with regex and question!

    Hello.

    I'm coding a form where people can post whatever they want to - HTML is allowed! However there are these simple META HTML redirects, which I want to block.

    So I store the posted information in a variable called $postContent. And then I want to check with a regular expression whether if the user posted something along with:

    Code:
    <META HTTP-EQUIV=Refresh CONTENT="2; URL=http://badwebsite.com">
    I'm not really familiar with regular expressions, so any help/explanation of code is appreciated.

    And my question is - is there any other harmful codes written in HTML, that I should be aware of?

    I know allowing everyone to do HTML isn't that great of an idea, but I want/need it to be that way.
    Last edited by [vengeance]; 09-02-2009 at 04:59 PM.

  • #2
    Regular Coder funnymoney's Avatar
    Join Date
    Aug 2007
    Posts
    364
    Thanks
    17
    Thanked 24 Times in 24 Posts
    Quote Originally Posted by [vengeance] View Post
    And my question is - is there any other harmful codes written in HTML, that I should be aware of?
    I'm not in the mood to write regex right now, but as for other question...

    Javascript! If you allow HTML then you probably allow someone to write Javascript to your website and that is dangerous!

    Study on XSS.

  • #3
    Regular Coder
    Join Date
    Aug 2009
    Posts
    131
    Thanks
    28
    Thanked 7 Times in 7 Posts
    Oh yeah, right. I totally forgot about JavaScript/XSS. :x

    So would blocking JavaScript be an option, or is there too many alternatives on how to attack a website, when HTML writing is allowed?

  • #4
    Regular Coder funnymoney's Avatar
    Join Date
    Aug 2007
    Posts
    364
    Thanks
    17
    Thanked 24 Times in 24 Posts
    Quote Originally Posted by [vengeance] View Post
    So would blocking JavaScript be an option, or is there too many alternatives on how to attack a website, when HTML writing is allowed?
    i think myspace allows html to be written directly to website, and it's still working.

    you need to check usual vulnerabilities like MySQL injections, execution of PHP code, malicious HTML like that <meta redirect you noted, and of course Javascript XSS possibilities.

    personally i wouldn't use HTML but plain good ol' bbcode, but even if you allow html you can make secure website, just with a lot more planning before.

  • #5
    Regular Coder
    Join Date
    Aug 2009
    Posts
    131
    Thanks
    28
    Thanked 7 Times in 7 Posts
    I personally don't want to use BBCodes - at least not for this feature.

    But again - all that you mentioned, wouldn't it just simply be regex checks and then error message if any of the strings are found?

    Like <meta, <script, etc.?

  • #6
    Regular Coder funnymoney's Avatar
    Join Date
    Aug 2007
    Posts
    364
    Thanks
    17
    Thanked 24 Times in 24 Posts
    yes it should be enough, although i read about javascript that there are other ways to execute it on website, by bypassing the use of <script> tags. i'm not 100% sure about that

  • #7
    Regular Coder
    Join Date
    Aug 2009
    Posts
    131
    Thanks
    28
    Thanked 7 Times in 7 Posts
    Thanks for your reply.

    I found something much more efficient and simple to use.

    http://pear.php.net/package/HTML_Safe


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •