Jump to content


Photo

Security Problem?


  • Please log in to reply
2 replies to this topic

#1 FunkyELF

FunkyELF
  • New Members
  • Pip
  • Newbie
  • 7 posts

Posted 12 October 2006 - 09:01 PM

Hi guys, this is my first post on here so don't hate on me.
I'm brand new to PHP and the only HTML I have done was static stuff 7 or 8 years ago.

With that being said...I came across a site showing how to highlight PHP using PHP.  What I really want is for any request for a .phps file (which doesn't exist) to pass the coresponding .php file though the highlighter...but I'll save that for another post.

What I came across was the following code which I put in my htdocs directory....

highlight.php:
<?php

if (!empty($_POST['text'])){
   
   echo '<div style="border: solid 1px orange; padding: 20px; margin: 20px">';
   highlight_string($_POST['text']);
   echo '</div>';
}
?>

<form action="<?php echo $_SERVER['PHP_SELF']?>" method="post">
   <textarea name="text" style="width: 100%; height: 500px"><?php  
       echo @$_POST['text'];  
   ?></textarea>
   <br />
   <input type="submit" value="Highlight" />
</form>

So I try it out and it works pretty well.  Then I decide to have it parse itself and I copy the entire file into the field and press "highlight" and what I get at the bottom was two "highlight" buttons.

Now, if I go and paste the following in there, I get 4 buttons saying "Should" "These" "Be" and "Here?" above the "highlight" button.

<?php

if (!empty($_POST['text'])){
   
   echo '<div style="border: solid 1px orange; padding: 20px; margin: 20px">';
   highlight_string($_POST['text']);
   echo '</div>';
}
?>

<form action="<?php echo $_SERVER['PHP_SELF']?>" method="post">
   <textarea name="text" style="width: 100%; height: 500px"><?php  
       echo @$_POST['text'];  
   ?></textarea>
   <br />
   <input type="submit" value="Should" />
   <input type="submit" value="these" />
   <input type="submit" value="be" />
   <input type="submit" value="here?" />
</form>

Its not that it contains non PHP stuff is it?...If I paste the following it works fine and I see <H1>Where am I?</H1> inside the orage rectangle where it should be but if I put <H1>Where am I?</H1> under those <input> buttons in the above example, the text "Where am I?" gets rendered as a heading.

<?php
    echo "Will the following be inside or outside the orage box?<br/>";
?>
<H1>Where am I?</H1>


Somewhere in there it seems like it is getting out of the highlight_string function and the remainder gets dumped and rendered by the browser.  Is this bad for security since anything could get displayed by the browser?  What is the worst thing that could happen?... a javascript redirect?  Obviously if you're reading this, whoever wrote this forum software did their syntax highlighting the right way otherwise you'd be seeing my input buttons on this page.

Thanks in advance,
~Eric


#2 btherl

btherl
  • Staff Alumni
  • Advanced Member
  • 3,893 posts
  • LocationAustralia

Posted 13 October 2006 - 06:28 AM

http://sg.php.net/ma...pecialchars.php will probably do it.  That will escape the HTML so it doesn't escape the textarea.

Edit: Er.. I mean, so it doesn't "get out of" the textarea.  Bad choice of words :)

#3 FunkyELF

FunkyELF
  • New Members
  • Pip
  • Newbie
  • 7 posts

Posted 13 October 2006 - 12:47 PM

http://sg.php.net/ma...pecialchars.php will probably do it.


Nope.  Did you try it?
Besides still placing the buttons there and allowing anything I want to get rendered by the browser, the stuff that actually stayed in the orange box wasn't highlighted at all !




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users