Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:63204
Return-Path: <padraic.brady@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 61401 invoked from network); 20 Sep 2012 13:44:57 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 20 Sep 2012 13:44:57 -0000
Authentication-Results: pb1.pair.com smtp.mail=padraic.brady@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=padraic.brady@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.160.42 as permitted sender)
X-PHP-List-Original-Sender: padraic.brady@gmail.com
X-Host-Fingerprint: 209.85.160.42 mail-pb0-f42.google.com  
Received: from [209.85.160.42] ([209.85.160.42:64836] helo=mail-pb0-f42.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id CD/0C-15057-8DD1B505 for <internals@lists.php.net>; Thu, 20 Sep 2012 09:44:57 -0400
Received: by pbbrp8 with SMTP id rp8so5076558pbb.29
        for <internals@lists.php.net>; Thu, 20 Sep 2012 06:44:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :cc:content-type:content-transfer-encoding;
        bh=Qwmw1PMP4psna9yg3Lz5qsmzWQVoaBv5AYDZnWBKTTg=;
        b=qWrBkDJmwhIeeegzpcrWNLhK4ZuMprYgxVKo4yxXsEzxruGADBrQwTSVSTnWOCmk1L
         yYMiLvpqfxZAM04BneNacPKKQq8y/9qiNYfVOyWHDYjgIoEbQL1b/u4VpUnlk05OvUZp
         S8v3+4gd8n+olPagJFtTGSdOY0wpPGyflFOmFF22Zx5fER/Kk5iCP7ExGmEcb9l+GGN+
         r9F+/GZBEK8SB8gfDOc2rC+KPLBm3nJhPR0OrfeAJ0MqLiQXvRLDPQP1xiKGOyWKGPip
         4/nCfOEJu3NZP2/YRKQuu7lOQz3pcFIV9k5ye7w8mp+bDVNv63nLWiCVyy5xodNjrP08
         bppg==
MIME-Version: 1.0
Received: by 10.66.75.106 with SMTP id b10mr5316017paw.73.1348148694183; Thu,
 20 Sep 2012 06:44:54 -0700 (PDT)
Received: by 10.66.73.42 with HTTP; Thu, 20 Sep 2012 06:44:54 -0700 (PDT)
In-Reply-To: <CAH-PCH5UDvWZRq62V3YF+msap=ia62_zAStr0Sz2MzbWKsHzaQ@mail.gmail.com>
References: <505AEB97.8010303@lsces.co.uk>
	<CALwr1GkYQ9D1ucU_dL2hBoDNKaei+wA8Q=sD=VaGC=LakBjuHg@mail.gmail.com>
	<505B124A.8070309@lsces.co.uk>
	<CAPwsocFUeCaPG-sx5fuGh__bkJPdV7k25NcXpnJkyvNK+ZBWfg@mail.gmail.com>
	<CAH-PCH5UDvWZRq62V3YF+msap=ia62_zAStr0Sz2MzbWKsHzaQ@mail.gmail.com>
Date: Thu, 20 Sep 2012 14:44:54 +0100
Message-ID: <CALwr1GnC+N_wTumx5Gbuov8tSjwrLkB09m4A5RN6vDa5hRwfBw@mail.gmail.com>
To: Ferenc Kovacs <tyra3l@gmail.com>
Cc: Leigh <leight@gmail.com>, Lester Caine <lester@lsces.co.uk>, 
	PHP internals <internals@lists.php.net>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Subject: Re: [PHP-DEV] Decode, transcode, sanitize, filter, escape
From: padraic.brady@gmail.com (=?ISO-8859-1?Q?P=E1draic_Brady?=)

Hey,

Also bear in mind another outcome of Defense In Depth - you can't
trust HTML generators ;). Alternative formats like BBCode and Markdown
(which actually allows arbitary HTML insertions as part of the
specification) generate HTML but do not necessarily filter or validate
the contents.

You also have a quality issue. Integrated apps like phpBB or Github
make alternative formats look safe because they are already restricted
and sanitised by the app itself. Isolated libraries adhering to the
specification probably won't do this at all leaving it up to the user
to perform sanitisation of the generated output.

They both still need HTMLPurifier or a similar whitelisted sanitiser
to ensure it's safe.

Simple example is to grab phpmarkdown from Twitter, parse some
Markdown containing a <script> tag and see what it outputs. :P

If I recall, a common problem with naive BBCode libs was not filtering
for javascript: URIs properly.

> more specifically: accepting HTML, but trying to allow some of the tags b=
ut
> still filtering most of it.
> HTMLPurifier is the tool for this kind of job, but most people would
> recommend using some kind of alternative markup format, like
> BBCode<http://en.wikipedia.org/wiki/BBCode>

Paddy


--=20
P=E1draic Brady

http://blog.astrumfutura.com
http://www.survivethedeepend.com
Zend Framework Community Review Team