Re: HTML entity bignums

Hello list and Ingo!

> - - output filtering:
> HTML/XML output is only acceptable from trusted sources, i.e.

The problem I've been thinking about lately, because of working on my HTML filter kses, is how to allow some HTML input (elements and entities) without being insecure. There are lots of steps you have to take to parse and rebuild stuff, as you wrote, and one step that some other people have forgotten about is to check numeric entities and limit their size. That's what I wanted to point out with my post.

One situation where this might be a real issue is when you check that URLs only have allowed protocols like "http:" and "https:", and not any others like "javascript:" and "about:". If the user can insert colons that the code doesn't recognize, he or she (usually he..) can fool this URL protocol checking part of the filter. This could possibly lead to this XSS hole, if the rest of the filter allows frames: <frame src="javascript [bignum_entity_for_colon] alert(57)">

Parts of your post seem to deal with a situation where all HTML elements and entities should be disarmed, but that problem is simpler. In web mail systems and web forums, you often want to allow some HTML constructs, and that's the problem I'm trying to solve.

// Ulf Harnhammar

   kses - PHP HTML/XHTML filter
   http://sourceforge.net/projects/kses

-- 
____________________________________________
http://www.operamail.com
Get OperaMail Premium today - USD 29.99/year


Powered by Outblaze