AUR web interface

Tasklist

FS#2613 - What HTML are allowed in comment field?

Attached to Project: AUR web interface
Opened by Sergio Jovani Guzman (moret) - Tuesday, 19 April 2005, 07:58 GMT
Last edited by Simo Leone (neotuli) - Friday, 22 April 2005, 03:31 GMT
Task Type Bug Report
Category Backend
Status Closed
Assigned To Paul Mattal (paul)
Architecture All
Severity Critical
Priority Urgent
Reported Version 1.0
Due in Version 1.0.1
Due Date Undecided
Percent Complete 0%
Votes 0
Private No

Details

I've seen that comments supports html, like <b>, but it can be dangerous if you limit this use. javascript or another are dangerous. Is it limited? If it's not, I know a php function in order to remove any html code.

--------------------------------------------
function html($comment) {
$comment = trim($comment) ;
$comment = htmlspecialchars($comment) ;
return $comment ;
}
--------------------------------------------

And you can use it...
--------------------------------------------
$comment = "<a href="">...</a>...";
$comment = html($comment);

echo $comment;
--------------------------------------------

Bye!
This task depends upon

Closed by  Paul Mattal (paul)
Saturday, 23 April 2005, 00:22 GMT
Reason for closing:  Fixed
Comment by Simo Leone (neotuli) - Friday, 22 April 2005, 03:34 GMT
Assigned task to the right people and upgraded severity to critical.
I tested this out, it's no joke, you can embed the hell as much javascript as you want to in a comment.
http://aur.archlinux.org/packages.php?do_Details=1&ID=55 . And that's just a harmless example.

I was also able to make it so that the package page was never displayed, but user is immediatly redirected to wherever.
I suppose the list goes on.

This needs to get taken care of. NOW.
Comment by Paul Mattal (paul) - Friday, 22 April 2005, 03:36 GMT
I can't argue with this. I'm on it.
Comment by Simo Leone (neotuli) - Friday, 22 April 2005, 03:44 GMT
Might be able to use a combination of strip_tags() and htmlspecialchars() to get the safe tags, but this still doesn't handle the javascript problem.
Comment by Paul Mattal (paul) - Friday, 22 April 2005, 03:58 GMT
I've wrapped in htmlspecialchars(strip_tags()). Hoping this will improve this greatly. Will ship this tonight.
Comment by Paul Mattal (paul) - Friday, 22 April 2005, 04:41 GMT
This kills your javascript example above, it seems. Let me know if you see a further security hole.
Comment by Simo Leone (neotuli) - Friday, 22 April 2005, 23:14 GMT
Can we close this bug? I think it's been handled.

Only thing I can think of would be allowing certain tags, like bold italic and so forth. But then again these are just package comments, not a forum.

Loading...