[SOLVED] Security Question.

[pocobueno1388]

I am trying to keep security in mind before I start a large project, so I have a quick question. I understand that it isn't safe to allow users to input HTML or any code into the database.

 

My question is, if I use htmlentities() on all input where the user is allowed to use code that will be inserted into the database, will that keep away malicious javascript code?

 

Obviously when I want to display this information from the database I will use html_entity_decode(), but won't that just change it back from HTML entities to normal HTML again? If it does that, doesn't that mean that the code will still be executed, and I would still be vulnerable to the attacks that are in the code?

 

Maybe this is the reason BBC code was created? If I don't have to use it though, I would rather not.

[Jessica]

You are correct.

You can use one of the many libraries out there for cleaning HTML if you want to allow it and still prevent XSS attacks.

Check out this page:

http://htmlpurifier.org/comparison.html

 

PS: You'd be surprised how many big sites are vulnerable to XSS. buy.com still is

[Dragen]

just use

mysql_real_escape_string($value);

on everything you put into a database.

When you output it use:

htmlentities($value)

html entities changes everything to it's ascii code, such as

& = &

[dbo]

Decoding it will in fact make you susceptible again. You could do a regular expression search/replace to remove any script tags... because there really isn't a need to allow users to enter in javascript to begin with. If you find any occurences you may consider logging it so that you can see what malicious users were trying to do. Or you could replace < and > with ( and ) on script tags and output it as text... but that's kind ugly. Really depends on your situation. Can you provide some more insight?

[Jessica]

If you want to remove any HTML, use strip_tags(). If you want to allow "safe" html, check out the page above.

[pocobueno1388]

Jesirose, looks like that is exactly what I am looking for =] I will check it out.

 

I don't want to NOT allow HTML, I would like the users of my site to be able to use HTML to "decorate" there personal pages. I just want to make sure I'm protected from the XSS attacks mostly.

 

Wow, how could buy.com not be protected? 0_0 You would think they would have enough money to get it done...

 

Okay, I'm gonna check out that site, then I will be back to report the thread as solved if it's what I'm looking for. If anyone else has any suggestions, please share

[Jessica]

Yeah, and if you TELL buy.com or one of the other large sites, they threaten to prosecute you for attempted hacking. Don't get me started on these morons.

[pocobueno1388]

Thanks jesirose, the library is perfect =]

 

Yeah, lets definitely not get started on that, I can already tell they are a bunch of morons. They will be forced to secure it sooner or later, and if they don't, we will just sit back an watch their empire fall =] I'm speaking from not much knowledge on just how vulnerable they are, but not being protected from those attacks couldn't be a good thing.

 

Anyways, thanks again xD

I'm assuming that this library will catch JavaScript as well?

[pocobueno1388]

Nevermind, it looks like it covers malicious javascript as well =] The name threw me off "HTML Purifier".

[alpha2zee]

For filtering input, one may also think of using <a href="http://www.bioinformatics.org/phplabware/internal_utilities/htmLawed/index.php">htmLawed</a>, a highly customizable, 45 kb, single file, non-OOP PHP script to filter and purify HTML. Besides restricting tags/elements, attributes and URL protocols as per one's specification, and balancing HTML tags and ensuring valid tag nesting/well-formedness, it also has good anti-XSS and anti-spam measures.

[pocobueno1388]

Thanks for your input...but this thread is 2 months old, and has been solved. No need to bring it back from the dead =]

[revraz]

I can see their building here from my office, maybe I'll walk over there and tell them face to face.

 

Yeah, and if you TELL buy.com or one of the other large sites, they threaten to prosecute you for attempted hacking. Don't get me started on these morons.