@Mark I see the "style" has been disabled, and it seems I can enable it by commenting line 53 in plugins/HtmlLawd/class.htmlawed.plugin.php $Config['deny_attribute'] .= ',style'; My question is: if I comment this line "style" will be working again, does that pose a threat?
There seems to be a work around against position, z-index and opacity in line 73
We found that even if you disable z-index and opacity, there were other ways to get hack things the more we tested. We decided to drop style altogether as a result. If the community wants to work on a definitive css attribute blocking list, we'd be happy to implement it. But this was the most sure-fire way to block attacks for the time being.
Hi, I'm the author of DaDaBIK, a PHP Web application generator, and I would like to use HTMLawed for my project too, because HTMLpurifier seems to me too complex and doesn't support PHP4.
However, it seems that there are other vulnerabilities than the style and class ones, that you solve disabling them. I refer for example to the character encode checking problems or the attribute-based security vulnerabilities...anyway you can read all the limitations and problems here: http://www.bioinformatics.org/phplabware/internal_utilities/htmLawed/htmLawed_README.htm#s2.8
So what do you think about and why didn't you consider these issues?
Notice this topic thank to SPAM messages above.
Apart this, the HTML security problems this thread is about has been solved?
The argument is very interesting: maybe using the old good BBcode as only markup editor can be a solution?
candyman @patnaik answers the question well, and he would know. It is all about using it appropriately.
btw I mentioned the class white-list approach aswell. You can also have limited styling, not really a problem.
Vanilla forums uses a style, they are happy to firefight tomfoolery. It really is not a problem to limit style to bbcode level. But you also get the benefit, of using broader html.
This really isn't as big an issue as has been made out. Out of the box the plugin is safe.
The security issue was plugged by Todd's config changes. As long as you don't change the config to allow style/class again, you should be fine. If you use an advanced WYSIWYG editing plugin you'll probably want to consider installing the HTML Purifier plugin.
honestly html purifier is over hyerped, there are some use cases, but a forum is not one of them IMO. Possibly collaborative blogging that sort of scale.
If you are doing an advanced WYSIWYG then presumably you know what you are doing. There is no reason why you couldn't use it with htmlLawed. Just many thing would be stripped out. For instance I use a class whitelist configuration of htmlLawed and use an my own tinyMCE setup, which adds the classes. I'm not worried about styling in feeds in my case. All in-line styles are stripped.
Comments
Is there a possible threat even after disabling position, z-index and opacity?
I see the "style" has been disabled, and it seems I can enable it by commenting line 53 in plugins/HtmlLawd/class.htmlawed.plugin.php
$Config['deny_attribute'] .= ',style';My question is: if I comment this line "style" will be working again, does that pose a threat?
There seems to be a work around against position, z-index and opacity in line 73
What are html alternatives to change font color?
If you want to allow very much formatting you should probably switch your forum to use HTML Purifier. There's a plugin you can download for this.
I'm the author of DaDaBIK, a PHP Web application generator, and I would like to use HTMLawed for my project too, because HTMLpurifier seems to me too complex and doesn't support PHP4.
However, it seems that there are other vulnerabilities than the style and class ones, that you solve disabling them.
I refer for example to the character encode checking problems or the attribute-based security vulnerabilities...anyway you can read all the limitations and problems here:
http://www.bioinformatics.org/phplabware/internal_utilities/htmLawed/htmLawed_README.htm#s2.8
So what do you think about and why didn't you consider these issues?
Thanks in advance.
Cheers,
Eugenio
Notice this topic thank to SPAM messages above.
Apart this, the HTML security problems this thread is about has been solved?
The argument is very interesting: maybe using the old good BBcode as only markup editor can be a solution?
candyman @patnaik answers the question well, and he would know. It is all about using it appropriately.
btw I mentioned the class white-list approach aswell. You can also have limited styling, not really a problem.
Vanilla forums uses a style, they are happy to firefight tomfoolery. It really is not a problem to limit style to bbcode level. But you also get the benefit, of using broader html.
This really isn't as big an issue as has been made out. Out of the box the plugin is safe.
grep is your friend.
The security issue was plugged by Todd's config changes. As long as you don't change the config to allow style/class again, you should be fine. If you use an advanced WYSIWYG editing plugin you'll probably want to consider installing the HTML Purifier plugin.
honestly html purifier is over hyerped, there are some use cases, but a forum is not one of them IMO. Possibly collaborative blogging that sort of scale.
If you are doing an advanced WYSIWYG then presumably you know what you are doing. There is no reason why you couldn't use it with htmlLawed. Just many thing would be stripped out. For instance I use a class whitelist configuration of htmlLawed and use an my own tinyMCE setup, which adds the classes. I'm not worried about styling in feeds in my case. All in-line styles are stripped.
grep is your friend.