How to allow HTML in posts without security risk

Forum Moderators: open

Message Too Old, No Replies

How to allow HTML in posts without security risk

musicales

7:30 am on Apr 21, 2003 (gmt 0)

I would like to allow users to a forum to post simple html, including links. How can I do this without causing a security risk?

One option might be like webmasterworld to have sort of 'fake tags' [b] and [/b] for bold etc and do a find and replace, but I think that may restrict me too much.

Am I right in thinking the main risk is javascript - so perhaps if I remove any <script> tags I might be safe?

Any other suggestions (preferably in javascript or ASP) would be most welcome.

korkus2000

11:47 am on Apr 21, 2003 (gmt 0)

Things to worry about are SQL injection [sqlsecurity.com], <script> tags, iframes, and also regular server side code. I would replace the <script> tags with something else to prevent JavaScript and other client side scripting languages. Kill iframes since they could load code into those that could take over the users browser.

musicales

12:09 pm on Apr 21, 2003 (gmt 0)

Thanks korkus2000 that's just what I was after. When you say 'regular server side code' presumably I only have to worry about the type used on the page - for example if it's an asp page about an attempt to use asp (by removing <% %>) or is there a way someone could, say run perl etc from an html page?

korkus2000

12:19 pm on Apr 21, 2003 (gmt 0)

If it is an ASP page then yes I would get rid of the <% %> tags. I don't think anyone can run perl from the page though. It would have to be something client side interpreting it.

senior mcinvale

4:50 pm on Apr 21, 2003 (gmt 0)

your best bet would be to use the [b] style.

just figure out what you want your users to be able to post and convert the 'fake' tags to the real ones.

it shouldnt be limiting at all, if you take the time to write it all out.