Could someone check out my little bbcode for security issues

[fortnox007]

Hi all, if someone of you has a little spare time i would love to hear what you find about the small code below. I combined some scattered stuff around the internet. and was hoping some guru could tell me if its ok to output without any sneaky javascript to get inserted within the tags or other nasty stuff.

 

Its a bb code that first trims the string, applies html entities than puts newlines to breaks and finishes it of with a little bbcode in the end. I was hoping if this is secure enough to output text in this case a post var but am aiming for data from the database.

Thanks in advance :

 

<?php
       //replace stuff
       //bb function
       function bbcode($data)
  {
          $input = array(
                  '/\[b\](.*?)\[\/b\]/is',
                  '/\[i\](.*?)\[\/i\]/is',
                  '/\[u\](.*?)\[\/u\]/is',
                  '/\[img\](.*?)\[\/img\]/is',
                  '/\[url\](.*?)\[\/url\]/is',
                  '/\[url\=(.*?)\](.*?)\[\/url\]/is'
                  );

          $output = array(
                  '<strong>$1</strong>',
                  '<em>$1</em>',
                  '<u>$1</u>',
                  '<img src="$1" />',
                  '<a href="$1">$1</a>',
                  '<a href="$1">$2</a>'
                  );

          $rtrn = preg_replace ($input, $output, $data);

          return $rtrn;
       }
       //
       if(isset($_POST['submit'])&& !empty($_POST['textvar'])){
           $error_message = '';
           $string = trim(htmlentities($_POST['textvar'], ENT_QUOTES));
           $clean = nl2br($string);
           $super_clean = bbcode($clean);
       }else{
           $error_message = 'enter some text';
           $clean = '';
           $super_clean ='';
       }

[requinix]

Your links don't protect against JavaScript execution.

[url=javascript:alert("XSS")]link[/url]

[johnny86]

Same goes for <img src="javascript: xss_attack">

[fortnox007]

awesome i had a feeling about them.

 

Anyone maybe know how to protect those tags with a [tag=] or should i just remove those from the bbcode.

 

-edit: i placed http:// in it could that maybe help?

'<a href="http://$1">$2</a>'

 

[johnny86]

No it doesn't help. All the user needs to do is prepend some javascript to the link. If you are allowing any html in your posts, you should take a look at http://htmlpurifier.org/ which is a great tool to also filter xss attacks. Nothing is 100% safe but still. =)

[fortnox007]

thanks Johny, I will certainly check that out. Small reason why i am trying a bit myself is to understand more how to neutralize those senaky people

 

-edit oh that package is like 3 MB. hmm that's something for in the weekend.

[johnny86]

XSS attacks are so broad context that it would take one person to constantly observe browser evolving and everything related to that and still there would be something that one person will miss. It's best to use the tools we are given for the job. If you MUST allow something, then do it but use the most extensive tools. =)

 

Some XSS attacks work with only certain browsers or charsets or with a certain encoding. It is almost impossible to be sure. You could allow user to submit URL that match some security settings you have decided to use. In the cost of that some rare URLs users submit will be considered "bad" even tough they might not be. Just to make sure.. You can never be too careful.

[requinix]

As an example of that, some browsers support inline content with data:. Suppose a flaw is found in how a particular browser handles (eg) an image: someone could

[img=data:image/png;base64,malicious data...]

If they spread that on your site, everyone viewing it in the affected browser will be compromised.

 

Re: prepending "http://".

What if someone wants to link to an FTP site? Or email address?

[fortnox007]

Hi requinix,

 

that data thing really look horrible. I will certainly look out for that. I just glimpse of that html purifier and I don't even know where to start and I am certainly not sure if for such a 'simple' thing a directory full of files (3mb) is that efficient. Also i am the biggest noob ever with that object orientated code it's hard to see the bigger picture.

 

I am still searching my butt off for understandable filters for this occasion which I could make myself.

Is http://www.php.net/manual/en/filter.filters.sanitize.php maybe useful or is that already compromised too?

 

I am camping at Chris Shiflett's blog at the moment, but all I found Is 'i can recommend html purifier' I might make another topic just for that because i think this html purifier is a bit offtopic.

 

Sorry for my noobiness, I am just not evil enough to see what might be coming and the last thing i want is sell something which is insecure.