Jump to content

Archived

This topic is now archived and is closed to further replies.

FunkyELF

Security Problem?

Recommended Posts

Hi guys, this is my first post on here so don't hate on me.
I'm brand new to PHP and the only HTML I have done was static stuff 7 or 8 years ago.

With that being said...I came across a site showing how to highlight PHP using PHP.  What I really want is for any request for a .phps file (which doesn't exist) to pass the coresponding .php file though the highlighter...but I'll save that for another post.

What I came across was the following code which I put in my htdocs directory....

highlight.php:
[code]<?php

if (!empty($_POST['text'])){
 
  echo '<div style="border: solid 1px orange; padding: 20px; margin: 20px">';
  highlight_string($_POST['text']);
  echo '</div>';
}
?>

<form action="<?php echo $_SERVER['PHP_SELF']?>" method="post">
  <textarea name="text" style="width: 100%; height: 500px"><?php 
      echo @$_POST['text']; 
  ?></textarea>
  <br />
  <input type="submit" value="Highlight" />
</form>[/code]

So I try it out and it works pretty well.  Then I decide to have it parse itself and I copy the entire file into the field and press "highlight" and what I get at the bottom was two "highlight" buttons.

Now, if I go and paste the following in there, I get 4 buttons saying "Should" "These" "Be" and "Here?" above the "highlight" button.

[code]<?php

if (!empty($_POST['text'])){
 
  echo '<div style="border: solid 1px orange; padding: 20px; margin: 20px">';
  highlight_string($_POST['text']);
  echo '</div>';
}
?>

<form action="<?php echo $_SERVER['PHP_SELF']?>" method="post">
  <textarea name="text" style="width: 100%; height: 500px"><?php 
      echo @$_POST['text']; 
  ?></textarea>
  <br />
  <input type="submit" value="Should" />
  <input type="submit" value="these" />
  <input type="submit" value="be" />
  <input type="submit" value="here?" />
</form>[/code]

Its not that it contains non PHP stuff is it?...If I paste the following it works fine and I see <H1>Where am I?</H1> inside the orage rectangle where it should be but if I put <H1>Where am I?</H1> under those <input> buttons in the above example, the text "Where am I?" gets rendered as a heading.

[code]<?php
    echo "Will the following be inside or outside the orage box?<br/>";
?>
<H1>Where am I?</H1>[/code]


Somewhere in there it seems like it is getting out of the highlight_string function and the remainder gets dumped and rendered by the browser.  Is this bad for security since anything could get displayed by the browser?  What is the worst thing that could happen?... a javascript redirect?  Obviously if you're reading this, whoever wrote this forum software did their syntax highlighting the right way otherwise you'd be seeing my input buttons on this page.

Thanks in advance,
~Eric

Share this post


Link to post
Share on other sites
http://sg.php.net/manual/en/function.htmlspecialchars.php will probably do it.  That will escape the HTML so it doesn't escape the textarea.

Edit: Er.. I mean, so it doesn't "get out of" the textarea.  Bad choice of words :)

Share this post


Link to post
Share on other sites
[quote author=btherl link=topic=111338.msg451249#msg451249 date=1160720925]
http://sg.php.net/manual/en/function.htmlspecialchars.php will probably do it.[/quote]

Nope.  Did you try it?
Besides still placing the buttons there and allowing anything I want to get rendered by the browser, the stuff that actually stayed in the orange box wasn't highlighted at all !

Share this post


Link to post
Share on other sites

×

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.