Welcome to WebmasterWorld Guest from 54.90.204.233

Forum Moderators: phranque

Message Too Old, No Replies

Allowing HTML tags in an open wiki

wondering about security issues

     
10:39 pm on Jul 22, 2006 (gmt 0)

Junior Member

10+ Year Member

joined:May 1, 2005
posts:108
votes: 0


Hello. I have a php-based website that uses a type of wiki markup instead of html. Its an open website, anyone who visits can create and edit pages themselves. Ive decided to start allowing certain html tags to be used by visitors, like for text formatting, links, tables, etc. Im not allowing <SCRIPT> tags to be used by visitors, Im sure someone could put malicious JavaScript on the site.

I was wondering about <OBJECT> tags, though. Does anyone see any security issues with allowing these? I know media players use them, but I dont know much else about them, or if they could be used in a negative way

And while were at it, are there any other html tags I need to be careful with?

Thanks,
Phil

1:44 am on July 24, 2006 (gmt 0)

Senior Member from CA 

WebmasterWorld Senior Member encyclo is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Aug 31, 2003
posts:9074
votes: 6


Allowing
object
is a bad idea as it can be used in a similar fashion to an
iframe
- ie. to include third-party content on your page.

If this is a completely open wiki, then you should consider very carefully whether you allow HTML at all - are you sure that the usual BBcodes won't do?

I do have one site which allows the insertion of HTML, my list of allowed elements is:

<a><b><i><img><code><pre><span><table><tr><td><div><br><font>
5:44 am on July 24, 2006 (gmt 0)

Junior Member

10+ Year Member

joined:May 1, 2005
posts:108
votes: 0


Thanks, encyclo. I didn't know you could objects to create iframes.

What I'm actually doing is this: I've set up the TinyMCE editor, which allows visitors to design pages in a WYSIWYG interface and then grab the html code for it and paste it into the wiki page. So it's not like the people themselves are writing the html tags. This means I have to allow all the basic html tags that TinyMCE produces.

So far I'm allowing these tags, and I'm adding new ones as they come up:

<img><b><i><u><sup><sub><font><p><a><table><tr><td><tbody><strong>
<em><blockquote><ul><div><li><ol><center><h1 thru h4><br><span>

Do you see a problem with any of these?

It would be wonderful if there were a WYSIWYG editor that spit out wiki code, but I haven't found anything like that.

Thanks,
Phil

2:01 pm on July 26, 2006 (gmt 0)

Senior Member from CA 

WebmasterWorld Senior Member encyclo is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Aug 31, 2003
posts:9074
votes: 6


The list looks reasonable, but be careful about how you handle attributes on those elements. For example, if you allow
style
then anyone could insert hidden text in a
<span style="display:none;"></span>
- so unless you check the source code you won't see the hidden spam links. :)
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

Featured Threads

Free SEO Tools

Hire Expert Members