Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In with Facebook Sign In with Google Sign In with OpenID Sign In with Twitter
Sign In Apply for Membership

Categories

In this Discussion

Who's Online 14

6apxatCurtisOdencclawsconnectrx00422 +8 guests

HTML Formatter Security Bug (October 30 2005)

MarkMark
in Questions
Everyone should be aware that SirNot and I discovered some bugs in the HTML formatter whereby someone could execute javascript in specific browsers. SirNot has fixed the bugs in the release version of the html formatter that comes with Vanilla. You can either download that version of Vanilla from getvanilla.com, or you can do the following to repair the bug:

Open up extensions/HtmlFormatter.php

Replace the Execute function with this: 
function Execute($String)
{
	$AllowedProtocols = array('http', 'ftp', 'https', 'irc', 'gopher');
	
	$Patterns = array(
		"/o(?i)(n)/", //block all js events, but keep it as exact as possible in case 
		"/O(?i)(n)/", //we're mistaking it for a url or something
		"/<a(.+?)href\s*=(\W*)([\w\d\x0a\x0d#&;]+?):([^>]+?)>/esi", 
			//on some browsers the js protocol will still work even if it
			//contains html entities or a newline seperating 'java' and 'script'
		"/s(?i)(cript)/", //now we can go through and cancel out any script tags
		"/S(?i)(cript)/"
	);
	$Replacements = array(
		"o\\1", 
		"O\\1", 
		'$this->CheckProtocol("\\3", $AllowedProtocols, "href="."\\2", "<a"."\\1", "\\4".">")', 
		"s\\1", 
		"S\\1"
	);
	
	return preg_replace($Patterns, $Replacements, $String);
}
Then you'd want to add in this function in the same class as well: 
function CheckProtocol($Check, $Allow, $Extra, $Prefix, $Suffix)
{
	$sReturn = stripslashes($Prefix);
	if(!in_array($Check, $Allow)) $sReturn .= ($Extra.'http://');

	else $sReturn .= ($Extra.$Check.':');
	$sReturn .= stripslashes($Suffix);
	
	return $sReturn;
}

Comments

This discussion has been closed.