Ravens PHP Scripts: Forums
 

 
  Forum Index  •  Forum FAQ  •  Search  •  Memberlist  •  Usergroups  •  Profile  •  Log in to check your private messages  •  Log in

Safer HTML for PHPNuke
 View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke
Author Message
sixonetonoffun
Spouse Contemplates Divorce



Joined: Jan 02, 2003
Posts: 2496
PostPosted: Mon Aug 16, 2004 10:10 pm Reply with quote
I've been messing with a WYSIWYG editor and I found that if I add img to the allowed html array in config.php that style= can be inserted into it. Which though cool for somethings is just bad on a public place because we can put any sort of nasty java into that we want for one thing. So I had to think about what could I do to make html safer globally. I came up with 2 choices

1) Hack the check_html function and try to improve it to filter out attributes better.
2) Replace the code in check_html with a proven better solution.

I went with 2) and replaced the code in function check_html with KSES. It will still check for the "nohtml" flag and strip everything if it exists. So if you have the need for more html and want to be safer give this a try.

Simply add any edits to the mainfile.php that you need to run your site. (Like Sentinel's include line. Upload this new mainfile.php and your done. Here's the best part though now you can add img to the the allowed array and not have to be concerned about script kiddies adding java to your site.

Install:
Upload the included mainfile.php. (PHPNUke 7.4 ChatServ Patched 2.5 downloaded 8-16-04)
Or replace the entire check_html function in your mainfile.php with the code in the code
file included in this archive.

Please test this and report any issues. I have only briefly tested it but it seems to do its job. Usuage should be just as check_html is intended
$var = check_html($var, "nohtml"); // Strips html
$var = check_html($var, "html"); // Would allow approved html
$var = check_html$var); might work too but I didn't try that.
There have been someplaces I've seen $var = (check_html, $strip); this would return the allowed html too. The only way to strip html with it is to use the nohtml method.
Get it here: [ Only registered users can see links on this board! Get registered or login! ]

_________________
[b][size=5]openSUSE 11.4-x86 | Linux 2.6.37.1-1.2desktop i686 | KDE: 4.6.41>=4.7 | XFCE 4.8 | AMD Athlon(tm) XP 3000+ | MSI K7N2 Delta-L | 3GB Black Diamond DDR
| GeForce 6200@433Mhz 512MB | Xorg 1.9.3 | NVIDIA 270.30[/size:2b8 
View user's profile Send private message
sixonetonoffun
PostPosted: Mon Aug 16, 2004 10:17 pm Reply with quote
Note: It will conflict with the Journal2 so I think within a day or so I'll get a copy converted over to use check_html as it uses kses Embarassed
 
sixonetonoffun
PostPosted: Tue Aug 17, 2004 7:43 am Reply with quote
Here is Journal 2.0.b which is only recomended for use with this mainfile hack. [ Only registered users can see links on this board! Get registered or login! ]
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke


 Jump to:   




View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©