Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
If you have some interesting news or want to throw up a link to discuss it, here's the place. Anything is okay, even shameless vendor launches (since that is often applicable to what we work on). 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
HTML Purifier 1.0.0 release (shameless vendor launch)
Date: September 01, 2006 10:46AM

HTML Purifier, a standards-compliant HTML filtering library, released its stable 1.0.0 version today.

http://hp.jpsband.org/

Download links:
Navigate to http://hp.jpsband.org/#Download for the most up-to-date version.

Demo:
http://hp.jpsband.org/live/docs/examples/demo.php

Notable changes include: more shorthand CSS properties, protection against malformed UTF-8, support for other character sets, and complete API documentation.

Yes, this is a shameless vendor launch.



Edited 1 time(s). Last edit at 10/15/2006 12:31PM by Ambush Commander.

Options: ReplyQuote
Re: HTML Purifier 1.0.0 release (shameless vendor launch)
Posted by: rsnake
Date: September 01, 2006 12:03PM

Hi, Ambush Commander, this looks pretty good. There were a few small things I noted. First, I'm not sure if this is expected behavior, but it certainly does mess things up in the HTML (not what I would have expected to happen).

<IMG SRC='http://ha.ckers.org/images/RSnake.jpg?">"'

Also, it's interesting to note that you translate single quotes into double quotes and then escape the double quotes outside of the angle brackets. Since you were using UTF-8 encoding, I was pretty sure this was going to be vulnerable to the variable width encoding trick, but because I couldn't use either double quotes (outside) or single quotes (inside), I was out of luck because I couldn't create a matching pair (grave accents just errored out). I still haven't properly fuzzed all possibilities of characters that would product a quote, but thus far it looks good. So I wouldn't say this is perfect because it doesn't properly return what I would expect, but it certainly does a good job of defending against all the XSS vectors I am currently aware of.

As a side note, this does still allow for CSRF via remote images, so I'm not sure if you intend to eventually turn that off or allow a setting for users who don't want that. Nicely done!

- RSnake
Gotta love it. http://ha.ckers.org



Edited 1 time(s). Last edit at 09/01/2006 12:03PM by rsnake.

Options: ReplyQuote
Re: HTML Purifier 1.0.0 release (shameless vendor launch)
Posted by: rsnake
Date: September 01, 2006 12:04PM

Oh, and you might want to properly trap null bytes. It just dies when I submitted a null. That's probably not what you intended.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: HTML Purifier 1.0.0 release (shameless vendor launch)
Date: September 01, 2006 12:46PM

External images will probably be disabled by default by 1.3, when URI filtering schemes such as "allow only relative URIs" will be implemented. That can be troublesome for website that have non-Idempotent transactions assigned to GET requests... stupid web-people.

As for malformed HTML behavior, I really can't say. Output of <img src="" alt="Invalid image" /> seems reasonable enough, because what's really happening is that the lexers are properly assigning 'http://ha.ckers.org/images/RSnake.jpg?">"' to src, and then the subsequent URI validation routine is rejecting it. This is necessary for cases like <a title="Mike's car">, when quotes can be mixed.

As for the variable-width attack, I'm reasonably certain that we're secure. All special HTML characters are being escaped and the input UTF-8 string is being checked for well-formedness.

As for null bytes, that's interesting. I'll have to find out where that's happening.

Options: ReplyQuote
Re: HTML Purifier 1.0.0 release (shameless vendor launch)
Date: September 01, 2006 12:51PM

I'm unable to reproduce the null byte problem. :?

Also, according to the DOM inspector Mozilla Firefox parses your malformed image tag the same way, but then drops the quotes and the greater than sign. I may be able to alter the URI validation routine to make that happen.



Edited 1 time(s). Last edit at 09/01/2006 12:58PM by Ambush Commander.

Options: ReplyQuote
Re: HTML Purifier 1.0.0 release (shameless vendor launch)
Posted by: rsnake
Date: September 01, 2006 01:48PM

Hrm... worked for me again. Here is what I injected:


POST /live/docs/examples/demo.php HTTP/1.1
Host: hp.jpsband.org
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.6) Gecko/20060728 Firefox/1.5.0.6
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
Referer: http://hp.jpsband.org/live/docs/examples/demo.php
Content-Type: application/x-www-form-urlencoded
Content-Length: 88

html=%3C%00IMG+SRC%3D%22http%3A%2F%2Fha.ckers.org%2Fimages%2FRSnake.jpg%22%3E&submit=Submit


(see the null after the open angle bracket)?

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: HTML Purifier 1.0.0 release (shameless vendor launch)
Date: September 01, 2006 03:10PM

Are you talking about a 503? That's Apache's fault: it's rejecting the request. You do the same ("no one likes you, go away.").

I have a test case that ensures the Encoder strips out null bytes leaving the rest of the string intact, and it's a pass on both machines.

Edit - to be more specific, it's mod_security's fault:

[Fri Sep 01 11:46:53 2006] [error] [client *.*.*.*] mod_security: Access denied with code 503. Error parsing POST parameters: Error normalising parameter value: Invalid character detected [0] [hostname "hp.jpsband.org"] [uri "/live/docs/examples/demo.php"]



Edited 1 time(s). Last edit at 09/01/2006 03:21PM by Ambush Commander.

Options: ReplyQuote
Re: HTML Purifier 1.0.0 release (shameless vendor launch)
Posted by: rsnake
Date: September 01, 2006 03:50PM

Ah, that makes sense. No problems then. I stopped using mod_security a long time ago after I found some issues in it (I reported them to Ivan and they have since been fixed). It gets in the way of all the testing I do - adds an additional layer of security that is more confusing than anything.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: HTML Purifier 1.0.0 release (shameless vendor launch)
Date: September 03, 2006 09:33PM

Okay, <IMG SRC='http://ha.ckers.org/images/RSnake.jpg?">"' works now. Not sure if it would actually be useful in the real world, but it wasn't a hard fix to do.

Options: ReplyQuote
Re: HTML Purifier 1.0.0 release (shameless vendor launch)
Posted by: rsnake
Date: September 04, 2006 01:39PM

Hey, Ambush Commander, I'm playing with the variable width encoding stuff. Help me understand what you are doing here. When I inject:

<IMG SRC='http://ha.ckers.org/blah.jpg?À' ALT="onerror='alert()'">

The variable width token starts off as C4 and upon submission and return it changes into C480. Are you adding in the additional char? When I remove the 80 upon the return it does work, so I know it's not my code that's failing.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: HTML Purifier 1.0.0 release (shameless vendor launch)
Date: September 04, 2006 03:16PM

Unable to reproduce. Depending on which encoder is running (there's an iconv implementation and a PHP implementation), testing cleanUTF8() on urlencoded %C4%27 results in either no apostrophe (PHP) or just an apostrophe (iconv). Unable to get a %80.

What are you using to create these injections? I either test on the PHP level or use FireFox's Tamper Data.

However, %C4%80 is a valid UTF-8 character that displays as &#256;, so either way, the UTF-8 cleanup function is doing its job! :-)

Options: ReplyQuote
Re: HTML Purifier 1.0.0 release (shameless vendor launch)
Posted by: rsnake
Date: September 04, 2006 06:15PM

I was using burp proxy (part of burp suite)... (switching back and forth between the hex encoding version makes it very easy to do this type of testing).

I injected %C4 but upon return it adds %80. If I remove the %80 and it works again.

Options: ReplyQuote
Re: HTML Purifier 1.0.0 release (shameless vendor launch)
Date: September 05, 2006 04:54PM

POST /live/docs/examples/demo.php HTTP/1.1
Here's what I'm sending:

Host: hp.jpsband.org
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.6) Gecko/20060728 Firefox/1.5.0.6
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
---------------: ------------
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
Referer: http://hp.jpsband.org/live/docs/examples/demo.php
Content-Type: application/x-www-form-urlencoded
Content-Length: 122

html=%3CIMG+SRC%3D%27http%3A%2F%2Fha.ckers.org%2Fblah.jpg%3F%C4%27+ALT%3D%22onerror%3D%27alert%28%29%27%22%3E+&submit=Submit

and I'm not getting anything back. I reiterate, however, that C4 is not a valid UTF-8 character, so it can't bypass the filter.

Options: ReplyQuote
Re: HTML Purifier 1.0.0 release (shameless vendor launch)
Date: September 16, 2006 08:40PM

Hey, if anyone is interested, 1.1 was released today. Hopefully none of the added features also introduce security risks.

Options: ReplyQuote
Re: HTML Purifier 1.0.0 release (shameless vendor launch)
Posted by: lpilorz
Date: October 23, 2006 08:41AM

Great tool, I tried it out a little and it seems really good. LGPL licence come in handy, as I'm developing commercial software - thanks!

Options: ReplyQuote
Re: HTML Purifier 1.0.0 release (shameless vendor launch)
Date: November 29, 2006 05:32PM

1.3.0 was released last Sunday. The CRSF via remote images can be blocked by setting $config->set('URI', 'DisableExternalResources', true); although by default images are allowed (this forum allows remote images!)

Options: ReplyQuote
Re: HTML Purifier 1.0.0 release (shameless vendor launch)
Posted by: rsnake
Date: November 29, 2006 05:40PM

This forum is not a model for secure applications (far from it). But I'm glad to see you built that in. That'll be really useful.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote


Sorry, only registered users may post in this forum.