Page 1 of 2 12 LastLast
Results 1 to 10 of 16

Thread: security question

  1. #1
    Join Date
    Jan 2007
    Location
    Davenport, Iowa
    Posts
    1,875
    Thanks
    92
    Thanked 97 Times in 95 Posts

    Default security question

    For user submitted css if I were to str_replace "style" would that effectively eliminate possible javascript injections?
    Last edited by james438; 06-06-2011 at 09:16 AM.
    To choose the lesser of two evils is still to choose evil. My personal site

  2. #2
    Join Date
    Mar 2006
    Location
    Illinois, USA
    Posts
    12,164
    Thanks
    265
    Thanked 690 Times in 678 Posts

    Default

    I don't understand. How could CSS involve Javascript? Why not just let them submit text that goes between the <style....> and </style> tags? I don't believe Javascript can operate in there. Maybe some browsers would allow it, so you might still need to check, but it's a good start.

    As for replacing "style", do you mean replacing "<script>" instead? <style> is css, and <script> is JS.
    That might stop a lot of it, but remember that Javascript can also be embedded in attributes like onclick, onmouseover, etc.

    The safest way to eliminate any of that is to replace all instances of <, >, " and &. But that might also cause some problems with your CSS.

    Maybe you meant that you don't want users to be able to end the <style> block of CSS by adding </style>. That's a good point. After that they could put JS. But I'd recommend not blocking "style", but instead "</style>" (AND possible variations on that) because "style" itself might be part of a class for example, and it is part of several CSS properties, like list-style.


    Please post the exact format that you are allowing users to upload.
    Daniel - Freelance Web Design | <?php?> | <html>| español | Deutsch | italiano | português | català | un peu de français | some knowledge of several other languages: I can sometimes help translate here on DD | Linguistics Forum

  3. #3
    Join Date
    Jan 2007
    Location
    Davenport, Iowa
    Posts
    1,875
    Thanks
    92
    Thanked 97 Times in 95 Posts

    Default

    I think in the last major paragraph you were understanding my situation.

    This is really just in the concept stage, but here is some more detail.

    The user submitted css would be between the style tags. str_replace('script','',$css); would eliminate the closing script tag. I used "script" as opposed to "/script" because what if the user used "</ script>" or "< / script>" or </Script>, etc? I would have to make the str_replace case insensitive too I guess.

    Removing <, >, &, " sounds like a good, if not better idea. I am pretty sure that it is easier to work around those 4 symbols easily enough. I am not a big fan of users being able to insert javascript into the css using the method mentioned above.
    Last edited by james438; 06-06-2011 at 03:23 AM. Reason: typo + slight rewording.
    To choose the lesser of two evils is still to choose evil. My personal site

  4. #4
    Join Date
    Mar 2006
    Location
    Illinois, USA
    Posts
    12,164
    Thanks
    265
    Thanked 690 Times in 678 Posts

    Default

    I understand now. I think it might be best to approach this with regular expressions trying to block all variations of </style> tags and variations. (I think in your post above, maybe after reading my complicated response, you switched "style" and "script", right?).

    You can probably eliminate < and > completely, but " can be used in CSS such as for paths. I'm not sure if & is ever used in CSS.
    Daniel - Freelance Web Design | <?php?> | <html>| español | Deutsch | italiano | português | català | un peu de français | some knowledge of several other languages: I can sometimes help translate here on DD | Linguistics Forum

  5. #5
    Join Date
    Jan 2007
    Location
    Davenport, Iowa
    Posts
    1,875
    Thanks
    92
    Thanked 97 Times in 95 Posts

    Default

    hehe, you're right, I did switch style and script around! silly me

    It looks like I need to use regular expressions here. I wanted to see if there was an easy way to do this without pcre though. My philosophy is to only use pcre if you really need to.

    I think I will use both methods: remove > and < and use pcre to remove variations of "</style>".

    Could using paths insert javascript?
    To choose the lesser of two evils is still to choose evil. My personal site

  6. #6
    Join Date
    Mar 2006
    Location
    Illinois, USA
    Posts
    12,164
    Thanks
    265
    Thanked 690 Times in 678 Posts

    Default

    I don't think there's any way to use a path to insert Javascript. That would just apply, for example, an image as a background. I really doubt any browser would allow a .js file to be loaded there somehow.*

    If you remove < and > then removing </script> is redundant. I'd suggest changing them to &gt; and &lt;. That way you'll end up with at worst &gt;/style&lt; and that's harmless.


    *In theory, there are "javascript:" paths, but I don't know if they're allowed in CSS. I doubt it. We'll have to wait to see if someone else mentions something about that. You can always try the following:
    Code:
    <style type="text/css">
    body { background-image: url("Javascript:alert();"); }
    </style>
    ....I'm not even sure if that's the right syntax (if it actually might exist).
    Last edited by djr33; 06-06-2011 at 03:47 AM.
    Daniel - Freelance Web Design | <?php?> | <html>| español | Deutsch | italiano | português | català | un peu de français | some knowledge of several other languages: I can sometimes help translate here on DD | Linguistics Forum

  7. #7
    Join Date
    Jan 2007
    Location
    Davenport, Iowa
    Posts
    1,875
    Thanks
    92
    Thanked 97 Times in 95 Posts

    Default

    Thanks for the tips. I should be able to avoid using pcre that way too.
    To choose the lesser of two evils is still to choose evil. My personal site

  8. #8
    Join Date
    Apr 2008
    Location
    So.Cal
    Posts
    3,643
    Thanks
    63
    Thanked 516 Times in 502 Posts
    Blog Entries
    5

    Default

    > is an operator in css (it means "children", as opposed to a simple space, which means "descendants"):
    HTML Code:
    <style>
    body div{ background: red; }
    body > div{ background: blue; }
    </style>
    <body>
       <div>
          This div will have a blue background.
          <div>
             This div will have a red background.
             <div>
                So will this one. Without the > operator in the second style rule, all the divs would have been blue.
             </div>
          </div>
       </div>
    </body>
    granted, it's severely underused, so you might be perfectly "okay" with disallowing it (no one is likely to notice anyway ).
    Last edited by traq; 06-06-2011 at 03:57 AM.

  9. The Following User Says Thank You to traq For This Useful Post:

    djr33 (06-06-2011)

  10. #9
    Join Date
    Jan 2007
    Location
    Davenport, Iowa
    Posts
    1,875
    Thanks
    92
    Thanked 97 Times in 95 Posts

    Default

    maybe if I just transformed "<" then?
    To choose the lesser of two evils is still to choose evil. My personal site

  11. #10
    Join Date
    Apr 2008
    Location
    So.Cal
    Posts
    3,643
    Thanks
    63
    Thanked 516 Times in 502 Posts
    Blog Entries
    5

    Default

    why don't you just use strip_tags()? that was my first thought.

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •