|
Reasons never to allow HTML
by
10 Aug 2004
This was written in response to various queries regarding the use of HTML, most recently in this thread. ----------------- In general, one is probably fine allowing bbcodes, although I do not know if bbcodes like IMG and URL are safe. (See below.) While vB provides the capability to allow HTML, one should never use it. It opens your board to attack. Use bbcodes. If you need to emulate an HTML tag, write a new bbcode. The problem with allowing the injection of HTML is a complicated one. There is no 100% safe method to allow HTML and feel secure. Some of the issues and interactions are: 1. The obviously dangerous tags like SCRIPT and APPLET are not the only danger. Any injection of a URL can be dangerous. Any tag that allows for a URL (e.g., a, img, frame, ...) can be used for cross-site scripting and cookie stealing, which can allow someone to hack into your board. 2. Hackers can use various tricks that would result in a tag getting through the filter imposed by the PHP checker. Possible examples: a) <sc\0ript> becomes <script> b) <scr<embed>ipt> becomes <embed> or <script> 3. Then there is the issue of malicious tag attributes and events such as onclick and onmouseup. -------- Potentially dangerous tags that accept URL's: A, APPLET, AREA, BASE, BGSOUND, BODY, EMBED, FORM, FRAME, IFRAME, ILAYER, IMG, ISINDEX, INPUT, LAYER, LINK, OBJECT, SCRIPT, SOUND, TABLE, TD, TH, TR |