Resources

Getting started

Support

Development

Topics

User Functions

Events

There are no upcoming events

What's New

Stories last 2 weeks

No new stories

Comments last 2 weeks

No new comments

Trackbacks last 2 weeks

No new trackback comments

Links last 2 weeks

No recent new links

NEW FILES last 14 days

No new files

Welcome to Geeklog Thursday, April 24 2014 @ 06:43 AM EDT

The following comments are owned by whomever posted them. This site is not responsible for what they say.

  • Suggestions for filtering CSS url( ) images?
  • Authored by:squatty on Thursday, January 30 2003 @ 11:39 AM EST
Question: is this a GL specific issue, apache, php, what? I'd be interested in seeing if this exploit can be applied to other apps/platforms. Not that I'm looking for "hacking" tips or anyting...just want to see if my work environment is impacted.

Thnx!

---
Danny @ squatty.com
  • Suggestions for filtering CSS url( ) images?
  • Authored by:sardu on Thursday, January 30 2003 @ 11:50 AM EST
I hope I haven't opened up a huge can of worms posting that message. I don't really fancy the idea of anonymous comments 'rebranding' sites all over the net.

It _DOES_ work on some other weblog sites/packages. I'm not going to list any of them here. I think a fix should probably be applied to the main distribution.

It has nothing to do with apache or php, if you let HTML attributes pass through, other people's browsers will render them. If those attributes contain CSS, the browser will render the CSS.

---
Lucas Thompson
sardu_AT_mac.com
  • Suggestions for filtering CSS url( ) images?
  • Authored by:Tony on Thursday, January 30 2003 @ 11:52 AM EST
If you have a fix already let us know and we can put it in. Otherwise it may take a bit of work before we get this in ourselves. If you can use str_replace instead of the regex stuff...it's faster. Of course somethings are best suited for regex but on large stories this can be really slow in PHP.

---
The reason people blame things on previous generations is that there's only one other choice.
  • Suggestions for filtering CSS url( ) images?
  • Authored by:sardu on Thursday, January 30 2003 @ 12:01 PM EST
I don't have a fix in place yet but should have something by the end of the day.

I'll see if I can minimize the regex in favour of str_replace()

---
Lucas Thompson
sardu_AT_mac.com
  • Fix
  • Authored by:sardu on Thursday, January 30 2003 @ 07:06 PM EST
Sorry, I got tied up with a bunch of stuff today, as a quick fix people can just add this to COM_checkHTML() in lib-common.php

// Hack to filter out user-generated CSS attributes
$str = preg_replace( '/style="[^"]+"/', '', $str );

It works fine and preg_replace seems quick enough even on an ancient K6/350 I have.
Please note that it prevents ALL user-generated CSS from appearing.

---
Lucas Thompson
sardu_AT_mac.com

  • Fix... NOT
  • Authored by:sardu on Friday, January 31 2003 @ 12:13 AM EST

Doh!... that actually only fixes it if the user writes nice clean HTML with no spaces before/after the = sign.

I'm thinking maybe phpfilter should be integrated instead, it still lets images from the main site get loaded (allowing you to disable a page with a 2000x2000 pixel repeating pattern of the site logo) but I've contacted the author about it.

Anyone have other suggestions?

---
Lucas Thompson
sardu_AT_mac.com