PHP, Zend Framework and Other Crazy Stuff
Open Letter to Gareth Heyes: Regex HTML Sanitisation Doesn’t Work
Image by bertboerland via Flickr
Dear Gareth Heyes,
I thank you for your response that claims Regex HTML Sanitisation can work.
However, I should clarify that my article, Regex HTML Sanitisation: Off With Its Head!, was written in the context of using Perl regular expressions in PHP to both parse and filter HTML. Your challenge to test HTMLReg was unusual since HTMLReg is written in Javascript, operates as a client side library, and utilises the browser DOM to bypass HTML parsing with regular expressions.
As such, HTMLReg and your article title falls outside the context of my original article. I do, however, applaud the concept of using the browser DOM. While I cannot comment on the efficacy of client side filtering for cross-site scripting (XSS), the use of a DOM is a reliable strategy to bypass parsing problems. A similar approach accounts for the success of HTMLPurifier. Obviously, I do not begrudge some minimal use of regular expressions on pre-parsed normalised input.
This did, however, prompt me to ponder whether such an inapplicable challenge appearing on Planet-PHP undermines my argument anyway by its mere existence and blunt title in a world populated by A.D.D. sufferers. I believed it might and so I found myself determined to crack your Javascript library over a cup of coffee and a biscuit.
The result of this quick examination cannot be publicly reported here as this would be poor reporting practice. Therefore, I will report the resulting security vulnerability by email. You now have six weeks from today’s date in which to release a fixed version of HTMLReg and publicly disclose this vulnerability. I trust you will ensure that all similar or related potential vulnerabilities are also fixed. It would also, optionally, be interesting to see a blog post on the effectiveness of a client side Javascript filter.
Related posts:
- Regex HTML Sanitisation: Off With Its Head!
- Zend Framework Proposal: Zend\Html\Filter (HTML Sanitisation And Manipulation)
- HTML Sanitisation: The Devil’s In The Details (And The Vulnerabilities)
- HTML Sanitisation Benchmarking With Wibble (ZF Proposal)
- HTML Purifier 2.0.0 – new version of the PHP HTML filter library
| Print article | This entry was posted by padraic on March 18, 2011 at 4:02 pm, and is filed under PHP General, PHP Security, Zend Framework. Follow any responses to this post through RSS 2.0. You can leave a response or trackback from your own site. |
-
http://twitter.com/hazardplay Ron Harwood
-
Anonymous
-
http://twitter.com/shiflett Chris Shiflett
-
http://www.survivethedeepend.com Pádraic Brady
-
http://www.survivethedeepend.com Pádraic Brady
-
http://blog.astrumfutura.com Pádraic Brady
-
http://africanary.com Richard Chidike | Africanary
-
http://www.facebook.com/cameron.junge Cameron Junge
-
http://blog.astrumfutura.com Pádraic Brady
-
Anonymous
-
Anonymous
-
http://gamemariobros.blogspot.com/ Mariobros
-
http://%/zzyuvln6 EDUARDO
-
http://%/zzrxpeo9 BRANDON
-
http://%/zzbqtqk6 RUSSELL
-
http://%/zznxhvr9 LEWIS
-
http://%/zzstcsn4 SALVADOR
-
http://%/zzxxdth9 TERRENCE
-
http://%/zztlqnr9 PERRY
-
http://%/zzeqrqs2 DUSTIN
-
http://%/zzmxdbh3 DONALD
-
http://%/zznoptq5 BRADLEY
-
http://%/zzoypbf6 BRUCE
-
http://%/zzqjhtz6 KENNY
-
http://%/zzdclpp6 WILLIAM
-
http://%/zzsvjkz2 RUBEN
-
http://%/zzmiycm3 DARYL
-
http://%/zzdwvco7 LUIS
-
http://%/zzrtboq7 LAWRENCE
-
http://%/zzkfvkf8 GLENN
-
http://%/zzvxldw9 BRETT
-
http://%/zzezias2 JASON
-
http://%/zzhdutd6 RONALD
-
http://%/zzbroca1 VINCENT
-
http://%/zzfhpbr8 LEWIS
-
http://%/zzkqmgi4 AARON
-
http://%/zzzojpb5 TONY
-
http://%/zzfcxvb3 VINCENT
-
http://%/zzfvwey1 EARL
-
http://%/zzdeypm7 ALFRED
-
http://%/zzodgmi6 RICK
-
http://%/zzxloym2 LESTER
-
http://%/zzsajei1 TERRY
-
http://%/zzqlvsj3 MAURICE
-
http://%/zzuirzh4 LESLIE
-
http://%/zzlkmfe1 LANCE
-
http://%/zzjqsjp3 OSCAR
-
http://%/zzmrqei2 DUSTIN
-
http://%/zzvqufp8 FRANKLIN
-
http://%/zzlwsuz9 JERRY
-
http://%/zzpbcyk5 JIMMIE
-
http://%/zzjlsqg4 TYLER
-
http://%/zzhzjte6 CLINTON
-
http://%/zzwbzju7 TRAVIS
-
http://%/zzwbxir7 CURTIS
-
http://%/zzqoncv9 JAMES
