SitePoint Sponsor

User Tag List

Results 1 to 17 of 17
  1. #1
    SitePoint Member
    Join Date
    Aug 2006
    Posts
    3
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    So you're making a social networking site - what tags to ban?

    Hey,

    So say you're making an all out social networking site that permits certain HTML tags to be in profiles. Of course, you don't want your users sticking ads, etc in their profiles.. What tags would you ban?

    Right now, the only one I can think of is <script>

    What else would you guys prohibit?

    Thanks

  2. #2
    SitePoint Wizard silver trophy
    Join Date
    Mar 2006
    Posts
    6,132
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    you need to be very carefull if you plan to allow html tags. espescially if you allow html attributes in your tags.

    you should do some serious research on XSS before you consider trying something like this. if the only thing that comes to your mind is the <script> tag, then i think you have a lot of learning about XSS to do before you attempt something like this.

    take a look here, its one of many websites.
    http://ha.ckers.org/xss.html

    the possibilities are quite large.

    websites like myspace must have some incredible protections systems, and even despite that, XSS exploits still turn up here and there.
    Last edited by clamcrusher; Sep 2, 2006 at 21:12.

  3. #3
    SitePoint Wizard Young Twig's Avatar
    Join Date
    Dec 2003
    Location
    Albany, New York
    Posts
    1,355
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Anything JS-related, iframes, styles, etc. Just use BBcode or something.

  4. #4
    SitePoint Zealot
    Join Date
    Jul 2006
    Location
    Serbia
    Posts
    126
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    ...,<img>, <src>, <embed>, ... everything that can include some file.

  5. #5
    Resident Code Monkey Chris Corbyn's Avatar
    Join Date
    Nov 2005
    Location
    Melbourne, Australia
    Posts
    713
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    have a look at this: http://hp.jpsband.org/

    It's still in development but the author (very very clever guy!) frequents a forum I moderate and I believe it's just about complete for first official release.

  6. #6
    is_empty(2); foofoonet's Avatar
    Join Date
    Mar 2006
    Posts
    1,000
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    @d11wtq
    As of PHP5.2 wont the new filter extension take care of a lot of this?

    http://blog.thepimp.net/index.php/20...filter-release

    Its a PECL extension at the moment I think.

    I like the whitelist idea though.

    TinyMCE a wysiwg editor also uses the idea of a whitelist of allowed tags, it might be worth looking at how they do that too.
    Upgrading to Mysql 5? Auto-increment fields now strict
    use NULL
    Or zero or leave the field name out completely.

  7. #7
    Resident Code Monkey Chris Corbyn's Avatar
    Join Date
    Nov 2005
    Location
    Melbourne, Australia
    Posts
    713
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I think the big thing with HTMLPurifier is if you're a web developer who takes pride in meeting standards it's probably one of the only tools that actually bases it's decisions on the DTD in question. From what I've seen of it it's very sexy indeed.

  8. #8
    is_empty(2); foofoonet's Avatar
    Join Date
    Mar 2006
    Posts
    1,000
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    http://hp.jpsband.org/comparison.html
    I had a look at the comparison page above - I was a bit surprised not to see HTMLTidy (perhaps in a previous incarnation?)

    Its certainly very interesting, and I would really love to see a slug out between this and PHP5.2 with the new filter and HTMLTidy extensions.

    1 speed (benchmark)
    2 ease of development (how difficult to configure)
    3 strictness score
    4 crackability rating

    eg if I sent some data from TinyMCE (yes, JS only ...) to store in a database via;

    -Purifier
    -Filter + Tidy

    Thanks for the pointer and heads up on that project.
    Upgrading to Mysql 5? Auto-increment fields now strict
    use NULL
    Or zero or leave the field name out completely.

  9. #9
    SitePoint Enthusiast
    Join Date
    Nov 2005
    Posts
    76
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    The official release is out now. :-D

    I didn't include Tidy in the comparison list (perhaps I should), because it has a very different goal than HTML Purifier.

    When editing HTML it's easy to make mistakes. Wouldn't it be nice if there was a simple way to fix these mistakes automatically and tidy up sloppy editing into nicely layed out markup? Well now there is! Dave Raggett's HTML TIDY is a free utility for doing just that. It also works great on the atrociously hard to read markup generated by specialized HTML editors and conversion tools, and can help you identify where you need to pay further attention on making your pages more accessible to people with disabilities.
    Tidy never claimed to produce standards-compliant code: it just would catch general sloppiness on the author/editor's part. Still, it's been successfully used as a band-aid for parsers that aren't smart enough to fix nesting (for example, MediaWiki).

    As of PHP5.2 wont the new filter extension take care of a lot of this?
    Glancing at the PHP manual page, it doesn't look like it has HTML filtering capabilities yet. It's probably coming though.

    speed (benchmark)
    HTML Purifier loses hands down here. :-P I'm working on optimizing it though.

    ease of development (how difficult to configure)
    Well, as of right now, HTML Purifier has no (official) method of configuration. So it could be easy or hard, depending on how you look at it.

    strictness score
    As in output, I can 99% guarantee HTML Purifier's output is standards compliant.

    crackability rating
    Same here. You might call allowing <img> tags a security risk, but then again, a lot of forum software allows images (this one included), so they're not that big of a problem. Functionality to disable them or only allow local images is coming (around 1.3).

  10. #10
    is_empty(2); foofoonet's Avatar
    Join Date
    Mar 2006
    Posts
    1,000
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hi,

    Its really nice to see your response. Thanks.

    Using the DTD sounds like a really smart way of dealing with the problem of validating input.

    I am really not worthy to make any comments on your project, but I would love to know what the likes of Chris Shiflett and Christopher Kunz think.
    Upgrading to Mysql 5? Auto-increment fields now strict
    use NULL
    Or zero or leave the field name out completely.

  11. #11
    SitePoint Enthusiast
    Join Date
    Nov 2005
    Posts
    76
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Haven't heard from them yet.

    Note that the library doesn't actually use the DTD per-say... it simulates the DTD. If I actually used the DTD I'd be letting things like onclick through (which are in the DTD) and that wouldn't be very useful hmm?

  12. #12
    SitePoint Zealot bobber205's Avatar
    Join Date
    Sep 2006
    Location
    Oregon
    Posts
    113
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I would suggest banning this tag:

    HTML Code:
    <a include = "destroyServer.exec">

  13. #13
    SitePoint Enthusiast
    Join Date
    Nov 2005
    Posts
    76
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    ... that doesn't even do anything (besides break validation).

  14. #14
    SitePoint Zealot bobber205's Avatar
    Join Date
    Sep 2006
    Location
    Oregon
    Posts
    113
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Ambush Commander
    ... that doesn't even do anything (besides break validation).

    Uh... I was kidding.

  15. #15
    Non-Member Ihtesham's Avatar
    Join Date
    Aug 2006
    Posts
    41
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    In most cases, the set of allowed tags is smaller than the set of prohibited tags.

    Perhaps a good solution lies in the question: What HTML tags to allow?

  16. #16
    SitePoint Zealot bobber205's Avatar
    Join Date
    Sep 2006
    Location
    Oregon
    Posts
    113
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    What other ones do you need to really allow except for <b> <i> and maybe <u>?

  17. #17
    SitePoint Enthusiast
    Join Date
    Nov 2005
    Posts
    76
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Perhaps a good solution lies in the question: What HTML tags to allow?
    Yep, I agree wholeheartedly that whitelist filtering is the way to go. Blacklists are just fundamentally flawed.

    However, I disagree the set of allowed tags is smaller than the set of prohibited tags. Good whitelists can be difficult to make.

    What other ones do you need to really allow except for <b> <i> and maybe <u>?
    It depends. On a forum, perhaps that would be permissible, although you'd probably want to allow links, quotes and code fragments too. However, we're talking about a social networking site, so it's in our best interests to let users use as much HTML as possible without posing an XSS threat or totally destroying the site's layout.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •