Register Members List Search Today's Posts Mark Forums Read

Reply
 
Article Options
Reasons never to allow HTML
CarCdr
Join Date: Apr 2004
Posts: 242

by CarCdr CarCdr is offline 10 Aug 2004

This was written in response to various queries regarding the use of HTML, most recently in this thread.
-----------------

In general, one is probably fine allowing bbcodes, although I do not know if bbcodes like IMG and URL are safe. (See below.)

While vB provides the capability to allow HTML, one should never use it. It opens your board to attack.

Use bbcodes. If you need to emulate an HTML tag, write a new bbcode.

The problem with allowing the injection of HTML is a complicated one. There is no 100% safe method to allow HTML and feel secure. Some of the issues and interactions are:

1. The obviously dangerous tags like SCRIPT and APPLET are not the only danger. Any injection of a URL can be dangerous. Any tag that allows for a URL (e.g., a, img, frame, ...) can be used for cross-site scripting and cookie stealing, which can allow someone to hack into your board.

2. Hackers can use various tricks that would result in a tag getting through the filter imposed by the PHP checker. Possible examples:
a) <sc\0ript> becomes <script>
b) <scr<embed>ipt> becomes <embed> or <script>

3. Then there is the issue of malicious tag attributes and events such as onclick and onmouseup.

--------
Potentially dangerous tags that accept URL's:
A, APPLET, AREA, BASE, BGSOUND, BODY, EMBED, FORM, FRAME, IFRAME, ILAYER, IMG, ISINDEX, INPUT, LAYER, LINK, OBJECT, SCRIPT, SOUND, TABLE, TD, TH, TR

Last edited by CarCdr; 10 Aug 2004 at 13:31..
Views: 7015
Reply With Quote
Comments
  #2  
Old 10 Aug 2004, 13:11
Dean C's Avatar
Dean C Dean C is offline
 
Join Date: Jan 2002
Real name: Dean Clatworthy
I'll move this over to modifications hints and tips - I think we need a rename of that forum
__________________
Dean Clatworthy - Web Developer/Designer
Reply With Quote
  #3  
Old 11 Aug 2004, 00:19
Natch's Avatar
Natch Natch is offline
 
Join Date: Nov 2002
Handy Hints 4 Board Admins?
__________________
Natcher00
... is the Admin @ MobileForces.org - Official Community for a cult Vehicle based FPS - the only place for support!
... also he's Penfold to Dark_Wizard's Danger Mouse in development of vBWar
http://www.mobileforces.org/sig.jpg
{DaniWeb: Learn HOW-TO mod_rewrite your vB board}
Reply With Quote
  #4  
Old 11 Aug 2004, 01:52
deathemperor's Avatar
deathemperor deathemperor is offline
 
Join Date: Jul 2003
Real name: Lucius Hunk
good hints
HTML is magic.
Reply With Quote
  #5  
Old 17 Aug 2005, 23:41
Gutspiller's Avatar
Gutspiller Gutspiller is offline
 
Join Date: Dec 2001
Or you can just censor certain html tags and be a little safer:


Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

:ermm:
Reply With Quote
  #6  
Old 17 Aug 2005, 23:44
Zachery's Avatar
Zachery Zachery is offline
 
Join Date: Jul 2002
Real name: Zachery Woods
Originally Posted by Gutspiller
Or you can just censor certain html tags and be a little safer:


Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

:ermm:
Censor is really easy to get around
__________________
Looking for ImpEx?
Reply With Quote
  #7  
Old 25 Aug 2005, 00:54
FrozenCreations FrozenCreations is offline
 
Join Date: Jul 2005
i have an even better reason /;

do not alow <img /> tags!!

<HTML>
<BODY>
<IMG SRC="./bsod.gif" width="9999999"height="9999999" />
</BODY>
</HTML>

INSTANT DOOM!! muahahahahahaha

(it chrashes the page
Reply With Quote
  #8  
Old 25 Aug 2005, 07:23
AN-net's Avatar
AN-net AN-net is offline
 
Join Date: Dec 2003
Originally Posted by Gutspiller
Or you can just censor certain html tags and be a little safer:


Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

:ermm:
there are still so many more possibilities to use vicious javascript and code
Reply With Quote
  #9  
Old 25 Aug 2005, 22:14
FrozenCreations FrozenCreations is offline
 
Join Date: Jul 2005
and theres always my instant doom img tag

the downside is, you gota upload your own pic /;
Reply With Quote
  #10  
Old 28 Sep 2005, 05:17
Tradjick Tradjick is offline
 
Join Date: Jan 2004
And when enabling HTML only for Admins, would that be safe, beside the risk that someone gets Admin access?
Reply With Quote
  #11  
Old 30 Jan 2013, 15:44
EliasAlucard's Avatar
EliasAlucard EliasAlucard is offline
 
Join Date: Nov 2009
Do they have to register an account and write something in the HTML-enabled section in order to exploit security vulnerabilities, or is it enough to just enable HTML in the first place in order to open up the forum for vulnerabilities?
__________________
“Human beings are animals: very unusual animals, to be sure, but nevertheless animals. In origin, we are not fallen angels, but apes arisen.” — Michael H. Hart

UADisplay for the nerds among us who care about browser wars!
Reply With Quote
  #12  
Old 30 Jan 2013, 16:10
Digital Jedi's Avatar
Digital Jedi Digital Jedi is offline
 
Join Date: Oct 2006
Real name: Mark Daniel Martinez
Originally Posted by EliasAlucard View Post
Do they have to register an account and write something in the HTML-enabled section in order to exploit security vulnerabilities, or is it enough to just enable HTML in the first place in order to open up the forum for vulnerabilities?
The risk is someone using the HTML on your forum. So whatever usergroup has the ability, is where the risk lies.
__________________
Reply With Quote
  #13  
Old 30 Jan 2013, 16:16
EliasAlucard's Avatar
EliasAlucard EliasAlucard is offline
 
Join Date: Nov 2009
Originally Posted by Digital Jedi View Post
The risk is someone using the HTML on your forum. So whatever usergroup has the ability, is where the risk lies.
Do they have to post with special HTML tags or is it enough that someone posts something like <sup> in order to enable HTML to become a vulnerability risk?
__________________
“Human beings are animals: very unusual animals, to be sure, but nevertheless animals. In origin, we are not fallen angels, but apes arisen.” — Michael H. Hart

UADisplay for the nerds among us who care about browser wars!
Reply With Quote
  #14  
Old 30 Jan 2013, 18:04
Digital Jedi's Avatar
Digital Jedi Digital Jedi is offline
 
Join Date: Oct 2006
Real name: Mark Daniel Martinez
Originally Posted by EliasAlucard View Post
Do they have to post with special HTML tags or is it enough that someone posts something like <sup> in order to enable HTML to become a vulnerability risk?
The danger doesn't come from the HTML just existing in a post. The danger comes from the person posting using raw HTML code.

Whatever HTML code he puts in a post, becomes that on the forum. If he posts the code that makes a table, it becomes a table in his post. If he posts the raw HTML code for embedding a YouTube video, it becomes an embedded YouTube video in his posts.

So the danger comes from the person, and what he's choosing to post. If he wants to post malicious code, he has fee access to do so. That's why BBCode is more secure. BBCode only turns into the HTML you decided it will turn into.

NOTE: Don't confuse this with the [HTML][/HTML] BBCode tags. This has nothing to do with what they're talking about above. This just displays code in such a way that it stays formatted. No matter what anyone puts here, it will just display text with the spacing preserved and color coding added.


Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

__________________
Reply With Quote
  #15  
Old 30 Jan 2013, 22:31
final kaoss final kaoss is offline
 
Join Date: Apr 2006
Wow a 9 year old thread revived?
Reply With Quote
Reply



Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Article Options

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


New To Site? Need Help?

All times are GMT. The time now is 02:35.

Layout Options | Width: Wide Color: