Please upgrade here. These earlier versions are no longer being updated and have security issues.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

Major HTMLawed Security Issues

2»

Comments

  • BUMP
    Is there a possible threat even after disabling position, z-index and opacity?
  • MarkMark Vanilla Staff
    If you are using vanilla 2.0.10 or greater, this is no longer a threat.
  • atmeyatmey New
    edited October 2010
    @Mark
    I see the "style" has been disabled, and it seems I can enable it by commenting line 53 in plugins/HtmlLawd/class.htmlawed.plugin.php
    $Config['deny_attribute'] .= ',style';
    My question is: if I comment this line "style" will be working again, does that pose a threat?

    There seems to be a work around against position, z-index and opacity in line 73
  • MarkMark Vanilla Staff
    We found that even if you disable z-index and opacity, there were other ways to get hack things the more we tested. We decided to drop style altogether as a result. If the community wants to work on a definitive css attribute blocking list, we'd be happy to implement it. But this was the most sure-fire way to block attacks for the time being.
  • Okay, gotcha, thanks.
    What are html alternatives to change font color?
  • @Atmey, you can do this with the color attribute of the font tag, but the font tag is technically deprecated.

    If you want to allow very much formatting you should probably switch your forum to use HTML Purifier. There's a plugin you can download for this.
  • Hi,
    I'm the author of DaDaBIK, a PHP Web application generator, and I would like to use HTMLawed for my project too, because HTMLpurifier seems to me too complex and doesn't support PHP4.

    However, it seems that there are other vulnerabilities than the style and class ones, that you solve disabling them.
    I refer for example to the character encode checking problems or the attribute-based security vulnerabilities...anyway you can read all the limitations and problems here:
    http://www.bioinformatics.org/phplabware/internal_utilities/htmLawed/htmLawed_README.htm#s2.8

    So what do you think about and why didn't you consider these issues?

    Thanks in advance.

    Cheers,

    Eugenio
  • MarkMark Vanilla Staff
    @Todd or @Tim have any comments/ideas?
  • Notice this topic thank to SPAM messages above.
    Apart this, the HTML security problems this thread is about has been solved?
    The argument is very interesting: maybe using the old good BBcode as only markup editor can be a solution?

  • x00x00 MVP
    edited December 2011

    candyman @patnaik answers the question well, and he would know. It is all about using it appropriately.

    btw I mentioned the class white-list approach aswell. You can also have limited styling, not really a problem.

    Vanilla forums uses a style, they are happy to firefight tomfoolery. It really is not a problem to limit style to bbcode level. But you also get the benefit, of using broader html.

    This really isn't as big an issue as has been made out. Out of the box the plugin is safe.

    grep is your friend.

  • The security issue was plugged by Todd's config changes. As long as you don't change the config to allow style/class again, you should be fine. If you use an advanced WYSIWYG editing plugin you'll probably want to consider installing the HTML Purifier plugin.

  • honestly html purifier is over hyerped, there are some use cases, but a forum is not one of them IMO. Possibly collaborative blogging that sort of scale.

    If you are doing an advanced WYSIWYG then presumably you know what you are doing. There is no reason why you couldn't use it with htmlLawed. Just many thing would be stripped out. For instance I use a class whitelist configuration of htmlLawed and use an my own tinyMCE setup, which adds the classes. I'm not worried about styling in feeds in my case. All in-line styles are stripped.

    grep is your friend.

Sign In or Register to comment.