Security concern with use of BB-Code, htmlenities, and array_flip()

terungwa · April 22, 2014

In the bulletin board, that i am designing, I have included a bbcode script shown below. Also, I am using htmlentities to sanitize user input. However for the user-submitted code (via use of bbcode tag) to be printed out when a user views the topics page, I had to implement array_flip() which is capable of reversing the text-to-HTML translation achieved with htmlentities().

My question is, does this sequence of operation compromise the site and is there a better way of doing this?

htmlentities

$post_content= htmlentities(stripslashes($_POST['post_content']));

bbcode script.

function phpbbcode($s)
{
    $s = str_replace("]\n", "]", $s);
    $match = array('#\[php\](.*?)\[\/php\]#se');
    $replace = array("'<span>'.highlight_string(stripslashes('$1'), true).'</span>'");
    return preg_replace($match, $replace, $s);
}

array_flip Script.

$text=$comments_row['post_content'];
$entities = get_html_translation_table(HTML_ENTITIES);
$translate = array_flip($entities);
$new_text=strtr($text, $translate);

echo $new_text;

Jacques1 · April 22, 2014

This is a massive security hole, because the “e” modifier can be used by visitors to run arbitrary PHP code. Please read the warnings in the manual:

http://php.net/manual/en/reference.pcre.pattern.modifiers.php#reference.pcre.pattern.modifiers.eval

In general, I strongly recommend you keep away from any home-made BBCode implementation. Almost every attempt I've seen so far ended up with all kinds of cross-site scripting vulnerabilities or worse. Use an established library. What about this one?

Sign In

Security concern with use of BB-Code, htmlenities, and array_flip()

Recommended Posts

terungwa

Link to comment

Share on other sites

Jacques1

Link to comment

Share on other sites

Archived

Browse

Activity

Important Information