Login/Register
Modifying htmlpurifier allowed tags for this markup
Asked Answered
Solved phpxsshtmlpurifier
D

4

7

My html purifier settings now allow only these tags

$configuration->set('HTML.Allowed', 'p,ul,ol,li');

I want to allow indentation of lists and my editor uses this html 

<ul style="margin-left: 40px;">

How should I change my HTMLPurifier Allowed tags? I thought to add style, but I think it would be better to specify exactly which style is allowed, which in this case would be margin-left. What is the right way to change the HTML.Allowed for this case?

Deck answered 3/6, 2011 at 17:7 Comment(0)
B
20

Allow the style attributes, and then modify the allowed CSS attributes using %CSS.AllowedProperties.

$configuration->set('HTML.Allowed', 'p,ul[style],ol,li');
$configuration->set('CSS.AllowedProperties', 'margin-left');
Beef answered 3/6, 2011 at 18:15 Comment(3)
You should whitelist allowed properties, see some of the possiblities of injecting JavaScript into the style attribute here: owasp.org/index.php/…Tavarez
@Edward Z. Yang, the library is very good, but the documentation I found a little expeditive, I would have appreciate more examples. For instance, just by reading this htmlpurifier.org/live/configdoc/…, I think it's difficult to guess how to use it. Your two lines contribution in SO would maybe fit better in that page?Slider
The documentation is really bad. That's why people don't understand it.Prickly
D
1

At the least, you want to allow attributes for tags which purifier supports, like so:

$configuration->set('HTML.Allowed', 'p,ul[style],ol,li');

I'm not sure if you can also allow/restrict the content of the attributes, though.

Duhl answered 3/6, 2011 at 17:11 Comment(1)
But it is safe to just do ul[style] I mean can an attack happen from within the ul[style] maybe by the malicious user adding his code in there, or ul[style] is widely agreed to be enoughDeck
B
1

I suggest you don't allow attributes at all. Allowing the style attribute causes an XSS vulnerability in IE7 (and possibly other versions, I am not sure at the moment) but the point is, it's too dangerous. You should parse the HTML yourself, and replace the users' with constant strings in your code. Allowing HTML is a really dangerous practice. For better security, you may want to try something like markdown or create your own very simple markup type language (like BBcode) for your users to use.

Blacking answered 3/6, 2011 at 17:15 Comment(3)
Htmlpurifier prevents XSS in style attributes.Deauville
@Frank Farmer, I think he makes a valid point. See also "Obsidian_ comment. It is not clear to me yet whether HTMLPurifier takes care of what goes inside the style, so they may have a point. I hope someone would clarify if they know of any test results on this.Deck
@samold: see Edward's reply to obsidian. Edward is the author of HTML purifier. "HTML Purifier decomposes all components of HTML, including all CSS"Deauville
M
1

Like SamT said regarding the XSS vulnerability in IE7, be wary of allowing access to the style attribute because of a genius Microsoft move that allowed the use of javascript in CSS by way of "expression()" (also known as Dynamic Properties). http://msdn.microsoft.com/en-us/library/ms537634(v=vs.85).aspx

Regarding its removal in IE8, where Microsoft blatantly admits that it exposed users to additional vulnerabilities: http://blogs.msdn.com/b/ie/archive/2008/10/16/ending-expressions.aspx

example:

<a href="" style="width: expression(alert('XSS'));">blah</a>

The above would pop up a javascript alert box in MSIE 5 through 7. According to the docs on the MSDN, it should also work on IE8 when Quirks mode is active. It also might also occur on IE9 in quirks mode but I can't be sure.

If at all possible, avoid allowing access to the style attribute. You never know when another future browser will get the genius idea to add in the same mistake Microsoft made.

Mastin answered 3/6, 2011 at 17:33 Comment(2)
HTML Purifier decomposes all components of HTML, including all CSS. You can see how it treats CSS here: htmlpurifier.org/live/smoketests/printDefinition.php (scroll down to the bottom)Beef
Wasn't aware of that; I've never used HTML Purifier much myself as it seems that when I code and allow HTML to be used, it seems that every fifteen year old that's out there suddenly thinks it is open season to start probing for XSS exploits. The mere appearance of a vuln seems to drive them into a feeding frenzy...an absolute annoyance, really. :\Mastin

© 2022 - 2024 — McMap. All rights reserved.