HTML Formatter Security Bug (October 30 2005)

Mark

Everyone should be aware that SirNot and I discovered some bugs in the HTML formatter whereby someone could execute javascript in specific browsers. SirNot has fixed the bugs in the release version of the html formatter that comes with Vanilla. You can either download that version of Vanilla from getvanilla.com, or you can do the following to repair the bug:

Open up extensions/HtmlFormatter.php

Replace the Execute function with this:

function Execute($String)
{
	$AllowedProtocols = array('http', 'ftp', 'https', 'irc', 'gopher');
	
	$Patterns = array(
		"/o(?i)(n)/", //block all js events, but keep it as exact as possible in case 
		"/O(?i)(n)/", //we're mistaking it for a url or something
		"/<a(.+?)href\s*=(\W*)([\w\d\x0a\x0d#&;]+?):([^>]+?)>/esi", 
			//on some browsers the js protocol will still work even if it
			//contains html entities or a newline seperating 'java' and 'script'
		"/s(?i)(cript)/", //now we can go through and cancel out any script tags
		"/S(?i)(cript)/"
	);
	$Replacements = array(
		"&#111;\\1", 
		"&#79;\\1", 
		'$this->CheckProtocol("\\3", $AllowedProtocols, "href="."\\2", "<a"."\\1", "\\4".">")', 
		"&#115;\\1", 
		"&#83;\\1"
	);
	
	return preg_replace($Patterns, $Replacements, $String);
}

Then you'd want to add in this function in the same class as well:

function CheckProtocol($Check, $Allow, $Extra, $Prefix, $Suffix)
{
	$sReturn = stripslashes($Prefix);
	if(!in_array($Check, $Allow)) $sReturn .= ($Extra.'http://');

	else $sReturn .= ($Extra.$Check.':');
	$sReturn .= stripslashes($Suffix);
	
	return $sReturn;
}

Minisweeper

There are also weaknesses as discovered by SirNot in this thread: http://www.lussumo.com/community/comments.php?DiscussionID=1061&page=1#Item_2 - fix in thread.