Beta test Threadify

[superuser2]

Hello everyone,

 

I'd like to have my site, Threadify, tested.

 

What I am looking for:

a) Is there anything that doesn't work?

b) Is there anything that isn't easy-to-use?

c) Is there anything that should be improved?

 

http://sudo2.com/labs/Threadify/

[Lumio]

I tried to delete myself and got many warnings

 

Nice idea

[superuser2]

Sorry. I that feature kinda wasn't implemented yet. I just wrote that function before checking this thread again.

 

How is it now?

[dsaba]

very cool! great idea

 

only thing i dont like is the design of the thread, its super huge

huge design means there is little content in the thread, if someone took the time to threadify someone most definetly needs to discuss lots of content, or else why make a thread

 

so i suggest the design should be suited for a highly active thread, with lots of text

[superuser2]

Dsaba,

 

That's a really good idea. I looked at it again and saw that.

 

I've made the text smaller, and only the original message has a drop shadow. They're a lot closer together. How's that?

[superuser2]

And now XSS filtering has been implemented.

[dsaba]

looks great, but remember it was just a suggestion, change stuff if you want too or think its neccesary

 

if you don't mind i'm currently trying to build my own custom forum

so i'd be interested in any xss filtering functions you have made

[superuser2]

Dsaba,

 

Thanks.

 

I found a good input validation class at PHPClasses.com:

 

http://www.phpclasses.org/browse/package/2189.html

 

I set it to filter all HTML and Javascript except for the tags I've whitelisted (like <b>, <i>. <u>, <a>, <br> to name a few). Works quite well.

[black.horizons]

aint that why gmail was created?

[superuser2]

Gmail deals with messages in threads, yes, but how well does it handle discussions between more than two people? Not very well in my experience.

[black.horizons]

not bad in my own i must say....provided the "reply to all" is used...

[textbox]

No e-mail validation!

[dsaba]

hey superuser2!

 

I downloaded that inputfilter class, for removing unwanted html tags and attributes

 

i edited like the instructions said:

var $tagsArray = array('br', 'a', 'b', 'em');

 

so it will take out everything except those tags

 

It still takes them out though

 

What am I doing wrong??

[kathas]

when you delete a person from your own thread it takes you to his secret url the one you just deleted and shows that it is not linked with any discussion...

 

Kind of a problem...

 

Except that little problema... I don't think it has any other programming issues...

 

Oh i forgot an important one... try fixing you XSS filtering it ain't good. it displays some tags, some it doesn't, it displays them when there is 1 post and not when there are 2 or vice versa. In few words it ain't that stable...

 

Ex. I wrote "<script" it echoed "<script" browser shows nothing i post another thing random... i look the source and the previous post instead of "<script" has "<script></script>" inside...

[448191]

2 words:

 

form validation

[superuser2]

Hmm... so it looks like the filtering class I'm using isn't very good. I'll have to find another. But it's late, so that goes on my todo list. Thanks for finding that.

 

Beate, that might be because you're putting them in on the wrong paramter (if I recall correctly there's one for the tags to blacklist and another for the tags to whitelist or something like that).

[dsaba]

I think i'm doing this correctly:

Am i not???

 

tagsmethod is 0 , which allows these tags

and i set the tags i want to allow in tagsArray

 

yet still it deletes them... ? what's going on???

 

/** @class: InputFilter (PHP4 & PHP5, with comments)
  * @project: PHP Input Filter
  * @date: 10-05-2005
  * @version: 1.2.2_php4/php5
  * @author: Daniel Morris
  * @contributors: Gianpaolo Racca, Ghislain Picard, Marco Wandschneider, Chris Tobin and Andrew Eddie.
  * @copyright: Daniel Morris
  * @email: dan@rootcube.com
  * @license: GNU General Public License (GPL)
  */
class InputFilter {
var $tagsArray = array('br', 'a', 'b', 'em');
var $attrArray;			// default = empty array

var $tagsMethod;		// default = 0
var $attrMethod;		// default = 0

var $xssAuto;           // default = 1
var $tagBlacklist = array('applet', 'body', 'bgsound', 'base', 'basefont', 'embed', 'frame', 'frameset', 'head', 'html', 'id', 'iframe', 'ilayer', 'layer', 'link', 'meta', 'name', 'object', 'script', 'style', 'title', 'xml');
var $attrBlacklist = array('action', 'background', 'codebase', 'dynsrc', 'lowsrc');  // also will strip ALL event handlers

/** 
  * Constructor for inputFilter class. Only first parameter is required.
  * @access constructor
  * @param Array $tagsArray - list of user-defined tags
  * @param Array $attrArray - list of user-defined attributes
  * @param int $tagsMethod - 0= allow just user-defined, 1= allow all but user-defined
  * @param int $attrMethod - 0= allow just user-defined, 1= allow all but user-defined
  * @param int $xssAuto - 0= only auto clean essentials, 1= allow clean blacklisted tags/attr
  */
function inputFilter($tagsArray = array(), $attrArray = array(), $tagsMethod = 0, $attrMethod = 0, $xssAuto = 1) {		
	// make sure user defined arrays are in lowercase
	for ($i = 0; $i < count($tagsArray); $i++) $tagsArray[$i] = strtolower($tagsArray[$i]);
	for ($i = 0; $i < count($attrArray); $i++) $attrArray[$i] = strtolower($attrArray[$i]);
	// assign to member vars
	$this->tagsArray = (array) $tagsArray;
	$this->attrArray = (array) $attrArray;
	$this->tagsMethod = $tagsMethod;
	$this->attrMethod = $attrMethod;
	$this->xssAuto = $xssAuto;
}

[448191]

Better use a simple whitelist. Same for element attributes.

 

You reset $this->tagsArray:

 

var $tagsArray = array('br', 'a', 'b', 'em');
//....
$tagsArray = array()
//....
$this->tagsArray = (array) $tagsArray;

 

[superuser2]

I am unable to recreate the problems encountered with the input filter. Will those experiencing problems please send me a Personal Message telling something I can find the thread by (your email, your secret URL, your thread title or message body)? Thanks. To prove I do indeed own it I have posted a message at:

 

http://sudo2.com/labs/Threadify/phpfreaks.html

 

Stating that I do indeed take responsibilty for this message and that I am who I say I am.

 

I have it set to allow "b", "i", "u", "br", "p", "a", and "img", so those ought to come through. I completely remove any other Javascript or other element. Bold, underline, italic, line breaks, paragraphs, links, and images are all perfectly appropriate in the context of a private forum thread, I think.

 

Please let me know if something is leaking through.

[gabeg]

2 words:

 

form validation

Agreed, I left all the fields blank on the index page and it said it still created the group.

 

Also, why is the secret URL sent to my e-mail address, but not displayed on the confirmation page.

 

If I'm the person that entered the e-mail address, why not just give me the url then? I hate checking my e-mail before being able to use a site!

[superuser2]

Okay, so form validation I will do...

 

Your email address is your identity on Threadify, so the system kinda needs to be sure it's yours. I suppose I could do openId... in fact, should I? What do people think of that?

[448191]

I have it set to allow "b", "i", "u", "br", "p", "a", and "img", so those ought to come through.

 

Some care should be taken when allowing img tags, since they can be abused for XSS. Any element that instructs the browser to fetch an external object can.

[dsaba]

don't allow dynamic images

 

although...

a really clever hacker can use mod rewrite on the httaccess file, and still link a xss attack via an image which really is a php script....

[superuser2]

Validation has been implemented, this means form fields can't be blank and email addresses must look real to be confirmed.

 

To test out the improved system, I have flushed the database, so any and all existing threads and messages are gone.

 

Images: but Forums allow dynamic images - how do they keep it safe? I want to have images allowed and do not have the resources to host the images myself. Can someone more clearly explain how one could Cross Site Script with an image?

[dsaba]

Not all forums allow dynamic images thats not true at all, many are making it default options to not allow dynamic images, one of these forums is invasionboard forums

 

dynamic images are like pic.jpg?var=this&var=that

or image.php?var=this

 

with mod rewrite i can change any extension to reference something else

 

for example i have a script called sniffsessions.php

now it looks like image.jpeg

 

so when this is displayed in your thread:

<img src="image.jpeg"/>

it in essence loads my sniffsessions.php script

 

there's not much you can do about this, as it looks like a regular image, and is not a dynamic image

however you can do some kind of image validation, like use a function to check the height and width of an image, if the function errors, then image.jpeg is not really an image is it? etc...

 

 

basically any script can be hidden as an image, and any script can be loaded via the , <img> tag whether its looks like .jpeg or not

you can simply do:

<img src="maliciouscript.php?hack=you" />

 

and hide scripts in img tags like that, etc....

 

if they load a outside .js script, this can do all kinds of things to your page (XSS)

 

hack.js contents:

<script>

alert('you have been hacked!');

</script>

 

 

all you have to do is <img src="hack.js" /> and now it is part of your source code and part of your page