Quote:
Originally Posted by MrPHP
HTML input can be perfectly safe.
I think you're mistaking "badly implemented, unchecked, raw HTML input" with "intelligently secured and whitelisted HTML input".
Though granted, bbcode is often easier for the users to understand. If you don't want to allow flash embedding (and you shouldn't), just don't whitelist those tags.
If you don't want the onhover attribute for elements (and again, you shouldn't), just strip those out. There is nothing intrinsically unsafe about HTML descriptions, idiotic developers are where the problems lies.
|
funny how you say it is completely safe the point out 2 you should not allow but you leave out meta tags and java tags and you do not even tell hem how to stop them
The problem with allowing the injection of HTML is a complicated one. There is no 100% safe method to allow HTML and feel secure. Some of the issues and interactions are:
1. The obviously dangerous tags like SCRIPT and APPLET are not the only danger. Any injection of a URL can be dangerous. Any tag that allows for a URL (e.g., a, img, frame, ...) can be used for cross-site scripting and cookie stealing, which can allow someone to hack into your board.
2. Hackers can use various tricks that would result in a tag getting through the filter imposed by the PHP checker. Possible examples:
a) <sc\0ript> becomes <script>
b) <scr<embed>ipt> becomes <embed> or <script>
3. Then there is the issue of malicious tag attributes and events such as onclick and onmouseup.
Potentially dangerous tags that accept URL's:
A, APPLET, AREA, BASE, BGSOUND, BODY, EMBED, FORM, FRAME, IFRAME, ILAYER, IMG, ISINDEX, INPUT, LAYER, LINK, OBJECT, SCRIPT, SOUND, TABLE, TD, TH, TR
Quote:
|
idiotic developers are where the problems lies
|
