Jump to content

Beta test Threadify


superuser2

Recommended Posts

very cool! great idea

 

only thing i dont like is the design of the thread, its super huge

huge design means there is little content in the thread, if someone took the time to threadify someone most definetly needs to discuss lots of content, or else why make a thread

 

so i suggest the design should be suited for a highly active thread, with lots of text

Link to comment
Share on other sites

looks great, but remember it was just a suggestion, change stuff if you want too or think its neccesary :)

 

if you don't mind i'm currently trying to build my own custom forum

so i'd be interested in any xss filtering functions you have made

Link to comment
Share on other sites

  • 3 weeks later...
  • 2 weeks later...

hey superuser2!

 

I downloaded that inputfilter class, for removing unwanted html tags and attributes

 

i edited like the instructions said:

var $tagsArray = array('br', 'a', 'b', 'em');

 

so it will take out everything except those tags

 

It still takes them out though

 

What am I doing wrong??

Link to comment
Share on other sites

when you delete a person from your own thread it takes you to his secret url the one you just deleted and shows that it is not linked with any discussion...

 

Kind of a problem...

 

Except that little problema... I don't think it has any other programming issues...

 

Oh i forgot an important one... try fixing you XSS filtering it ain't good. it displays some tags, some it doesn't, it displays them when there is 1 post and not when there are 2 or vice versa. In few words it ain't that stable...

 

Ex. I wrote "<script" it echoed "<script" browser shows nothing i post another thing random... i look the source and the previous post instead of "<script" has "<script></script>" inside...

Link to comment
Share on other sites

Hmm... so it looks like the filtering class I'm using isn't very good. I'll have to find another. But it's late, so that goes on my todo list. Thanks for finding that.

 

Beate, that might be because you're putting them in on the wrong paramter (if I recall correctly there's one for the tags to blacklist and another for the tags to whitelist or something like that).

Link to comment
Share on other sites

I think i'm doing this correctly:

Am i not???

 

tagsmethod is 0 , which allows these tags

and i set the tags i want to allow in tagsArray

 

yet still it deletes them... ? what's going on???

 

/** @class: InputFilter (PHP4 & PHP5, with comments)
  * @project: PHP Input Filter
  * @date: 10-05-2005
  * @version: 1.2.2_php4/php5
  * @author: Daniel Morris
  * @contributors: Gianpaolo Racca, Ghislain Picard, Marco Wandschneider, Chris Tobin and Andrew Eddie.
  * @copyright: Daniel Morris
  * @email: dan@rootcube.com
  * @license: GNU General Public License (GPL)
  */
class InputFilter {
var $tagsArray = array('br', 'a', 'b', 'em');
var $attrArray;			// default = empty array

var $tagsMethod;		// default = 0
var $attrMethod;		// default = 0

var $xssAuto;           // default = 1
var $tagBlacklist = array('applet', 'body', 'bgsound', 'base', 'basefont', 'embed', 'frame', 'frameset', 'head', 'html', 'id', 'iframe', 'ilayer', 'layer', 'link', 'meta', 'name', 'object', 'script', 'style', 'title', 'xml');
var $attrBlacklist = array('action', 'background', 'codebase', 'dynsrc', 'lowsrc');  // also will strip ALL event handlers

/** 
  * Constructor for inputFilter class. Only first parameter is required.
  * @access constructor
  * @param Array $tagsArray - list of user-defined tags
  * @param Array $attrArray - list of user-defined attributes
  * @param int $tagsMethod - 0= allow just user-defined, 1= allow all but user-defined
  * @param int $attrMethod - 0= allow just user-defined, 1= allow all but user-defined
  * @param int $xssAuto - 0= only auto clean essentials, 1= allow clean blacklisted tags/attr
  */
function inputFilter($tagsArray = array(), $attrArray = array(), $tagsMethod = 0, $attrMethod = 0, $xssAuto = 1) {		
	// make sure user defined arrays are in lowercase
	for ($i = 0; $i < count($tagsArray); $i++) $tagsArray[$i] = strtolower($tagsArray[$i]);
	for ($i = 0; $i < count($attrArray); $i++) $attrArray[$i] = strtolower($attrArray[$i]);
	// assign to member vars
	$this->tagsArray = (array) $tagsArray;
	$this->attrArray = (array) $attrArray;
	$this->tagsMethod = $tagsMethod;
	$this->attrMethod = $attrMethod;
	$this->xssAuto = $xssAuto;
}

Link to comment
Share on other sites

Better use a simple whitelist. Same for element attributes.

 

You reset $this->tagsArray:

 

var $tagsArray = array('br', 'a', 'b', 'em');
//....
$tagsArray = array()
//....
$this->tagsArray = (array) $tagsArray;

 

Link to comment
Share on other sites

I am unable to recreate the problems encountered with the input filter. Will those experiencing problems please send me a Personal Message telling something I can find the thread by (your email, your secret URL, your thread title or message body)? Thanks. To prove I do indeed own it I have posted a message at:

 

http://sudo2.com/labs/Threadify/phpfreaks.html

 

Stating that I do indeed take responsibilty for this message and that I am who I say I am.

 

I have it set to allow "b", "i", "u", "br", "p", "a", and "img", so those ought to come through. I completely remove any other Javascript or other element. Bold, underline, italic, line breaks, paragraphs, links, and images are all perfectly appropriate in the context of a private forum thread, I think.

 

Please let me know if something is leaking through.

Link to comment
Share on other sites

2 words:

 

form validation

Agreed, I left all the fields blank on the index page and it said it still created the group.

 

Also, why is the secret URL sent to my e-mail address, but not displayed on the confirmation page.

 

If I'm the person that entered the e-mail address, why not just give me the url then? I hate checking my e-mail before being able to use a site!

Link to comment
Share on other sites

I have it set to allow "b", "i", "u", "br", "p", "a", and "img", so those ought to come through.

 

Some care should be taken when allowing img tags, since they can be abused for XSS. Any element that instructs the browser to fetch an external object can.

Link to comment
Share on other sites

Validation has been implemented, this means form fields can't be blank and email addresses must look real to be confirmed.

 

To test out the improved system, I have flushed the database, so any and all existing threads and messages are gone.

 

Images: but Forums allow dynamic images - how do they keep it safe? I want to have images allowed and do not have the resources to host the images myself. Can someone more clearly explain how one could Cross Site Script with an image?

Link to comment
Share on other sites

Not all forums allow dynamic images thats not true at all, many are making it default options to not allow dynamic images, one of these forums is invasionboard forums

 

dynamic images are like pic.jpg?var=this&var=that

or image.php?var=this

 

with mod rewrite i can change any extension to reference something else

 

for example i have a script called sniffsessions.php

now it looks like image.jpeg

 

so when this is displayed in your thread:

<img src="image.jpeg"/>

it in essence loads my sniffsessions.php script

 

there's not much you can do about this, as it looks like a regular image, and is not a dynamic image

however you can do some kind of image validation, like use a function to check the height and width of an image, if the function errors, then image.jpeg is not really an image is it? etc...

 

 

basically any script can be hidden as an image, and any script can be loaded via the , <img> tag whether its looks like .jpeg or not

you can simply do:

<img src="maliciouscript.php?hack=you" />

 

and hide scripts in img tags like that, etc....

 

if they load a outside .js script, this can do all kinds of things to your page (XSS)

 

hack.js contents:

<script>

alert('you have been hacked!');

</script>

 

 

all you have to do is <img src="hack.js" /> and now it is part of your source code and part of your page

 

Link to comment
Share on other sites

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.