[pmwiki-users] cookbook security advide needed
Peter & Melodye Bowers
pbowers at pobox.com
Tue May 6 14:11:14 CDT 2008
> What is the best way to prevent submitting malicious code like
> javascript. Is there a standard or common used filter function for
> that. The filter should accept the css syntax bot nothing
> more. Example:
>
> #123456
> 1px solid red
> 0.8em
> url(http://domain.net/img.jpg)
It's kind of "brute force" and lacking elegance, but something like this
might be a start in the right direction:
===(snip)===
$ValidCSSPatterns = array('/#[0-9]+/', '/[0-9]+px\b/', '/\bsolid\b/',
'/\bred\b/', '/\b[0-9.]+em\b/', '/\burl\(http:[a-zA-Z.\/0-9-]+\)/');
$Result = trim(preg_replace($ValidCSSPatterns, '', $TextFromMarkup))
If ($Result) // if anything is left after stripping all valid CSS
echo "ERROR - this CSS was not valid: $Result<br>\n";
Else {
(process the $TextFromMarkup, feeling fairly confident that it's valid
CSS)
}
===(snip)===
Obviously the difficulty is to get a fairly complete "definition" of CSS in
an array of regexes. Sounds kind of daunting... On the other hand you
probably (?) don't need *all* of CSS and presumably could handle 80% of use
by getting the 20% of most common syntactical terms...? I'm really out of
my element with CSS so I can't say, but this is *a* way that the problem
could be approached.
-Peter
-Peter
More information about the pmwiki-users
mailing list