Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Whether this is about ha.ckers.org, sla.ckers.org or some other project you are interested in or want to talk about, throw it in here to get feedback. 

Current Page: 1 of 1
Results 1 - 16 of 16
4 years ago
sjdev86
@sirdarckcat - thanks, I spotted some of those vectors coming through recently. I didn't realise that php's DOMDocument automatically placed cdata tags in between script / style tags (which caused malicious html coming afterwards to be allowed through). I need to go over that in more detail (since the fix I've implemented is crude). I'm certainly not going to claim it's "safe" in its
Forum: Projects
4 years ago
sjdev86
@sirdarckcat - better you didn't come across it too early, fewer holes to pick! I think we can safely say that better character checking of style property names is needed (whitelist now in place) to guard against #1. Blacklisting style comments is all I can imagine for #2.
Forum: Projects
4 years ago
sjdev86
I'd literally just sat down to work on the url filtering (I wasn't happy with using a single regex for them, so decided to bypass the anti-samy rule), when I saw some new entries coming through in the demo logs - I thought it might be you. ;) I've made some small updates as a result (good timing on your part) and will test the new entries against the default regex as well for comparison. I h
Forum: Projects
4 years ago
sjdev86
The shorthand lists in antisamy are now allowed for (eg. background can take on background-image values as well). A couple of very minor issues encountered so far (the default rules not allowing everything I would have expected), but it is a very small minority: AllOWED <div style="background:url(test.png);">test</div> NOT ALLOWED <div style="background:ur
Forum: Projects
4 years ago
sjdev86
I've now switched everything over to use the anti-samy policy file. Still a couple more things to implement (eg. cross-referencing shorthand lists), but it's working very nicely (IMO!) so far.
Forum: Projects
4 years ago
sjdev86
Is anyone able to verify whether the mbstring function "mb_detect_encoding" is vulnerable to the buffer overflow vulnerability? I don't currently have access to anything below php 5.29. http://www.securiteam.com/unixfocus/6X00P0ANFM.html seems to suggest that it is one of the functions that should be "safe in their nature".
Forum: Projects
4 years ago
sjdev86
I suppose that one alternative would be to hook into the anti-samy policy file, using xpath to find the approriate rules for the attribute or property. The input value could then be matched against the resulting regex / literal rules. EDIT: current demo now using anti-samy
Forum: Projects
4 years ago
sjdev86
Anti-samy does look good. I've refined the attribute filtering somewhat, although I haven't gone as far as producing a rule for every different attribute / style value. At this point, something like <div style="color:'''';">test</div> will still get through the value whitelist (allow letters, numbers, spaces and # % ' , - . _ characters), but I wouldn't have thought that w
Forum: Projects
4 years ago
sjdev86
Thanks for the hole picking. I'll get on to re-factoring / tightening up the character whitelist (and the decoding has been given the boot from plain text output).
Forum: Projects
4 years ago
sjdev86
Alright, I'm happy with it now. The only thing I haven't addressed is mbstring, as I'm still thinking about the best alternative (any thoughts on dealing with the charset welcome).
Forum: Projects
4 years ago
sjdev86
Getting a bit too close there. Looks like php's DOMDocument automatically decoded the hex entities, which rendered the encoding check useless. Better get that css whitelist up. EDIT: initial attempt at css whitelist now in place
Forum: Projects
4 years ago
sjdev86
Gives me something to aim for then, doesn't it. ;) I was just playing around with the decoding options. So far I'm taking the approach that if passing the attribute through the decoding function changes the value in any way, then it's presumed to be bad input and the attribute is removed (otherwise further checks are carried out). The only situation I can think of where a legitimate user ent
Forum: Projects
4 years ago
sjdev86
The decoding function should catch double encoding (since it continues to cycle until nothing changes), however I agree that your approach seems the more sensible one. I'll re-configure it for a pass / fail approach - if it passes all checks, leave input as is (still run it through htmlspecialchars once passed?), otherwise remove that data entirely.
Forum: Projects
4 years ago
sjdev86
Thanks for the feedback, Gareth. I'll build in a whitelist for the style attribute (always figured I'd have to if I was going to allow it). I've got mbstring dotted around the place in various components I'm building, so that's going to need re-thinking. I'm interested in the decoding issue - I was under the (false?) impression that it was a good idea to try and decode the input as much as p
Forum: Projects
4 years ago
sjdev86
Ah, yes...must remember not to leave raw input in the input textarea (doh!). Thanks thornmaker! Might have to look at the demo next time Gareth. ;)
Forum: Projects
4 years ago
sjdev86
Hi all, I've been rolling my own php framework recently and initially thought about using an existing html filtering solution such as htmLawed. But curiosity got the better of me and I decided to try writing my own instead. I was hoping a few people might be good enough to give the demo a try to see how it holds up. >> http://allowhtml.com/demo/ There's a link to the source code
Forum: Projects
Current Page: 1 of 1