php fupload html??

[insanemonkey]

I am sorry but I am not sure where to put this but, here...

I am going to have a fupload form which is php, but,

I am going to make it so users can only submit html in it, is this a good idea or not?

and is it possible to hack through a html file say like an upload form that allows html, also i dont want to know, i just need to know for security reason.

Thanks

[djr33]

Your post is so poorly formatted, I am almost lost as to what you're asking.

I think you are asking about users uploading html code to your server through an upload form.

There is no security issue in terms of hacking the server (except that they could upload an entire website and leech off your space, but you could catch that easily enough), as html doesn't allow anything serverside.

However, a few things:
1. If the .htm extension allows any server side code, though unlikely, that would cause a risk, such as having php code allowed, OR if you have SSI (server side includes) allowed in .htm files.
2. This gives access from your site for anyone, so they could create access to another site through yours, though I'm not sure if anything could be done that would really matter with just html/Javascript/CSS.
3. However, the real risk here would be XSS-- cross site scripting, meaning a user could get any cookies from your site, which might store private data.

[insanemonkey]

THANKYOU, Sorry.

XSS??? is that something you put inside .htm or .html?

and isn't .htm same as .html?

and how to i block XSS?

thankyou

[djr33]

.htm and .html are exactly as different as they appear, being that one has an extra character (the "real" extension name is html, but it was shortened for older 8 character names / 3 character extension systems).
The file extension is just a marker; it will be interpreted as something of meaning, in some cases, and on a server it determines how it is served (like .php is run through the php parser).
In all likelihood, they will be seen both as html content on your site.


XSS is cross site scripting and technically not what would happen here. XSS is a method used in, for example, guestbooks. Post a <script> tag in there with a cookie grabber and send all the cookies to the home site, then you have just grabbed any data from the site where it is embedded. It's a sorta (relatively) low access form of hacking.
In a guestbook script, this is blocked easily by just stripping html out of a page.
So, in the same sense, you could not allow... html. But you want to.
In that case, you'll need to remove scripting from those pages by stripping any <script....>...</script> tags and removing any applicable onClick, onLoad, etc. attributes. You could look through the code specifically for javascript that grabs cookies, but once you open up a programming language that allows for infinite approaches, it becomes nearly impossible to stop; you could, for example, write a custom decryption function and eval(), using an encrypted bit of text to end up grabbing the cookies, nothing that you could find using even the most advanced regex parser.

[insanemonkey]

ok thankyou so much...

do you think this would work

Code:

   $html = str_replace("...", "<script>", $html);
   $html = str_replace("...", "</script>", $html);

kinda like myspace does on some of there html that is not allowed..
it will replace the <script > tags so they wont work..
like bbcode luagh out loud, hahaa?

[Twey]

older 8 character names / 3 character extension systems

I.E. DOS.

it will replace the <script > tags so they wont work..

You've got the parameters the wrong way around. Replace X with Y in Z. A way of doing it would be:

Code:

$html = preg_replace(array('/<script/i', '/<.*on\w+=/i'), '', $html);

Could theoretically mess up some things it shouldn't, but better safe than sorry.

[insanemonkey]

THANKYOU! so much...