LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Non-*NIX Forums > Programming
User Name
Password
Programming This forum is for all programming questions.
The question does not have to be directly related to Linux and any language is fair game.

Notices

Reply
 
Search this Thread
Old 02-05-2007, 06:45 PM   #1
farmerjoe
Member
 
Registered: Oct 2004
Location: Texas
Distribution: Ubuntu - Home, RHEL4 - Server
Posts: 96

Rep: Reputation: 15
Anyone know how to Block JavaScript from being run in HTML Comment Editors


I have a website in which I would like to allow users the options to write articles using an in-browser text editor that allows html tags. The only problem is that currently, users are able to paste javascript into the editor. This obviously poses a security risk in that haxx00rs could backpack malicious code within comment or article posts. Any one have a simple solution to blocking javascript from being parsed with the posts? Or maybe there is a better way? Please help guys!
 
Old 02-06-2007, 05:21 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,369
Blog Entries: 54

Rep: Reputation: 2869Reputation: 2869Reputation: 2869Reputation: 2869Reputation: 2869Reputation: 2869Reputation: 2869Reputation: 2869Reputation: 2869Reputation: 2869Reputation: 2869
Check out this LQ topic?: The Problem With PHP Application Security. It's about filtering.
 
Old 02-06-2007, 11:04 AM   #3
farmerjoe
Member
 
Registered: Oct 2004
Location: Texas
Distribution: Ubuntu - Home, RHEL4 - Server
Posts: 96

Original Poster
Rep: Reputation: 15
Thanks for the lead! Will this work to filter javascript as well?
 
Old 02-06-2007, 11:56 AM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,369
Blog Entries: 54

Rep: Reputation: 2869Reputation: 2869Reputation: 2869Reputation: 2869Reputation: 2869Reputation: 2869Reputation: 2869Reputation: 2869Reputation: 2869Reputation: 2869Reputation: 2869
a) It's meant as something to look into wrt filtering in general
b) I don't know. Depends on what you filter input with I guess.
 
Old 02-07-2007, 07:02 PM   #5
farmerjoe
Member
 
Registered: Oct 2004
Location: Texas
Distribution: Ubuntu - Home, RHEL4 - Server
Posts: 96

Original Poster
Rep: Reputation: 15
thanks for the help. Anyone else got any tips / opinions?
 
Old 02-07-2007, 11:14 PM   #6
graemef
Senior Member
 
Registered: Nov 2005
Location: Hanoi
Distribution: Fedora 13, Ubuntu 10.04
Posts: 2,379

Rep: Reputation: 148Reputation: 148
If you are playing around with PHP then you may want to look at the php function strip_tags(). This will remove HTML tags from the string, but you can add an exception list of allowable tags. Comments are always stripped, which is probably what you are looking for. This way you can restrict the number of allowable HTML tags that your submitters can use.
 
Old 02-08-2007, 03:40 PM   #7
farmerjoe
Member
 
Registered: Oct 2004
Location: Texas
Distribution: Ubuntu - Home, RHEL4 - Server
Posts: 96

Original Poster
Rep: Reputation: 15
Heres a better explanation:

We can remove and preg_replace the the javascript <script> tags easily enough.

The problem comes when someone copies html into a comment or article posting that's like this:

</div>
<div> hello world</div>

in which that first tag will close the stuff above it.

In essence, we want to allow people to include HTML in comments and article postings, but we want to make sure the HTML is clean and well formatted so it doesnt mess up the rest of the site.


We would rather not have to write an HTML parser from scratch because we want to allow ALL html tags to be allowed. This would cause us to have to reference the entire HTML tag library.

Maybe someone has already written a solution to this problem?
 
Old 02-09-2007, 07:48 AM   #8
graemef
Senior Member
 
Registered: Nov 2005
Location: Hanoi
Distribution: Fedora 13, Ubuntu 10.04
Posts: 2,379

Rep: Reputation: 148Reputation: 148
You can use the XML methods to verify the code but why not use BBCode?
 
Old 02-13-2007, 02:57 PM   #9
farmerjoe
Member
 
Registered: Oct 2004
Location: Texas
Distribution: Ubuntu - Home, RHEL4 - Server
Posts: 96

Original Poster
Rep: Reputation: 15
Ok. I might have found a quick solution to this. There is a library available in PHP5 called HTML Tidy. I think this will "tidy" our HTML by correct any tag errors.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Html Editors djgerbavore Linux - Software 12 11-24-2004 11:17 AM
what are the 'best' text editors (for C, html, js, etc) name_in_use450 Linux - General 4 08-31-2004 08:01 AM
HTML editors allelopath Linux - General 4 07-21-2004 02:30 AM
any good html editors for redhat 9? snakeo2 Linux - Newbie 13 04-02-2004 08:18 AM
Wysiwyg HTML Editors helenvale Linux - Software 5 09-11-2003 06:05 PM


All times are GMT -5. The time now is 05:13 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration