Re: Bug#308282: [phpbb2 #308282] upstream patch
(Sorry for not doing this as a real reply with the correct mail headers,
but I'm not subscribed to debian-security, I only read it on the web.)
> > | + $text = preg_replace('#(script|about|applet|activex|chrome):#is', "\\1:", $text);
> It looks like this is about preventing URL's like <img
> src="javascript:foo"> to be output. Since browsers are supposed to
> parse the html entities before interpreting the resulting URL, this
> patch seems wrong to me, it might actually work though if the affected
> browsers really do not parse such html entities in advance.
Protecting against this type of attack is much more complicated than this.
As Jeroen noted, HTML entities are interpreted, so you have to protect against
things like "javascript:". Some browsers allow varying amounts of whitespace
inside protocols for some reason, so you have to protect against
"java scr ipt : ". Upper and lower characters may be an issue. Finally, some
browsers including Mozilla store entities in integers so they wrap over and
start again after 2**32.
> Also, only rewriting specific scheme's would be dangerous as who knows
> when a certain browser will actually include yet another such scheme and
> start to do funny things with it. A whitelist would also be tricky
> though.
FWIW, my HTML/XHTML filter kses ( http://sourceforge.net/projects/kses )
includes a whitelist for URL protocols. It also checks for all the above
problems.
// Ulf Härnhammar
Reply to: