/    Sign up×
Community /Pin to ProfileBookmark

Users Posting HTML Concerns

Copy linkTweet thisAlerts:
Mar 14.2011

Hello,
On my site I am allowing users to post HTML and I’m in the planning phase.
I’m already written REGEX to get rid of <script> and <frame> tags, but I have ran into a problem regarding <embed> it seems as though in browsers such as chrome <embed> acts like an <iframe> tag.

The problem is that with this sort of behavior users may link to potentially harmful sites like infinite alert boxes ect.
How will I bee able to make sure users don’t embed websites instead of flash?

Alternate Question:
Also if I do allow users to include websites, how could I disable alert boxes?

to post a comment
PHP

4 Comments(s)

Copy linkTweet thisAlerts:
@NogDogMar 14.2011 — You might want to consider using either a BBCode package/class (similar to what this forum uses) or one of the WYSIWYG interfaces such as TinyMCE. They normally include configuration options that control which tags you'll allow, plus they can exclude/limit tag attributes that might be used for XSS attacks and such. A simpler alternative would be to use strip_tags() with the optional parameter to provide a "white list" of allowed tags. If you do that, however, you would still want to run some filtering to disallow javascript attributes and events (onclick, onload, etc.).
Copy linkTweet thisAlerts:
@GB_001authorMar 14.2011 — You might want to consider using either a BBCode package/class (similar to what this forum uses) or one of the WYSIWYG interfaces such as TinyMCE. They normally include configuration options that control which tags you'll allow, plus they can exclude/limit tag attributes that might be used for XSS attacks and such. A simpler alternative would be to use strip_tags() with the optional parameter to provide a "white list" of allowed tags. If you do that, however, you would still want to run some filtering to disallow javascript attributes and events (onclick, onload, etc.).[/QUOTE]

Yes, I've already filtered out what tags I don't want and used Jquery's .Unbind() to disable javascript events. Although I'd rather use BBcode for formatting rather than embedding. Thanks but this doesn't exactly answer my question about embedding though, I want to be able to make sure that what's embedded isn't a website, but some sort of video, flash or audio content.
Copy linkTweet thisAlerts:
@NogDogMar 14.2011 — Ah, okay. Only thing that pops to mind at the moment would be to require a "type" attribute, and then check if it is a type you want to allow. However, I'm not sure what any given browser might do if the tag has a type of "application/x-shockwave-flash" but the actual content is a HTML web page. I suppose you could go a step further and use cURL to grab the response headers (only) from the URL, and check what it says the content-type is.
Copy linkTweet thisAlerts:
@GB_001authorMar 14.2011 — Ah, okay. Only thing that pops to mind at the moment would be to require a "type" attribute, and then check if it is a type you want to allow. However, I'm not sure what any given browser might do if the tag has a type of "application/x-shockwave-flash" but the actual content is a HTML web page. I suppose you could go a step further and use cURL to grab the response headers (only) from the URL, and check what it says the content-type is.[/QUOTE]

Thank you, I think type will work for this.

I've tested in Chrome and Firefox so far and IE doesn't support embed so I think I have a working solution.
×

Success!

Help @GB_001 spread the word by sharing this article on Twitter...

Tweet This
Sign in
Forgot password?
Sign in with TwitchSign in with GithubCreate Account
about: ({
version: 0.1.9 BETA 5.18,
whats_new: community page,
up_next: more Davinci•003 tasks,
coming_soon: events calendar,
social: @webDeveloperHQ
});

legal: ({
terms: of use,
privacy: policy
});
changelog: (
version: 0.1.9,
notes: added community page

version: 0.1.8,
notes: added Davinci•003

version: 0.1.7,
notes: upvote answers to bounties

version: 0.1.6,
notes: article editor refresh
)...
recent_tips: (
tipper: @AriseFacilitySolutions09,
tipped: article
amount: 1000 SATS,

tipper: @Yussuf4331,
tipped: article
amount: 1000 SATS,

tipper: @darkwebsites540,
tipped: article
amount: 10 SATS,
)...