Suggestions for filtering CSS url( ) images?

Welcome to Geeklog Thursday, October 01 2020 @ 06:07 pm EDT

Suggestions for filtering CSS url( ) images? | 9 comments | Create New Account

The following comments are owned by whomever posted them. This site is not responsible for what they say.

Suggestions for filtering CSS url( ) images?

Authored by: squatty on Thursday, January 30 2003 @ 11:39 am EST

Question: is this a GL specific issue, apache, php, what? I'd be interested in seeing if this exploit can be applied to other apps/platforms. Not that I'm looking for "hacking" tips or anyting...just want to see if my work environment is impacted.

Thnx!

---
Danny @ squatty.com

---
In a world without walls and fences, who needs Windows and Gates?

Suggestions for filtering CSS url( ) images?

Authored by: sardu on Thursday, January 30 2003 @ 11:50 am EST

I hope I haven't opened up a huge can of worms posting that message. I don't really fancy the idea of anonymous comments 'rebranding' sites all over the net.

It _DOES_ work on some other weblog sites/packages. I'm not going to list any of them here. I think a fix should probably be applied to the main distribution.

It has nothing to do with apache or php, if you let HTML attributes pass through, other people's browsers will render them. If those attributes contain CSS, the browser will render the CSS.

---
Lucas Thompson
sardu_AT_mac.com

---
Lucas Thompson, sardu@mac,com

Suggestions for filtering CSS url( ) images?

Authored by: Tony on Thursday, January 30 2003 @ 11:52 am EST

If you have a fix already let us know and we can put it in. Otherwise it may take a bit of work before we get this in ourselves. If you can use str_replace instead of the regex stuff...it's faster. Of course somethings are best suited for regex but on large stories this can be really slow in PHP.

---
The reason people blame things on previous generations is that there's only one other choice.

---
The reason people blame things on previous generations is that there's only one other choice.

Suggestions for filtering CSS url( ) images?

Authored by: sardu on Thursday, January 30 2003 @ 12:01 pm EST

I don't have a fix in place yet but should have something by the end of the day.

I'll see if I can minimize the regex in favour of str_replace()

---
Lucas Thompson
sardu_AT_mac.com

---
Lucas Thompson, sardu@mac,com

Fix

Authored by: sardu on Thursday, January 30 2003 @ 07:06 pm EST

Sorry, I got tied up with a bunch of stuff today, as a quick fix people can just add this to COM_checkHTML() in lib-common.php

// Hack to filter out user-generated CSS attributes
$str = preg_replace( '/style="[^"]+"/', '', $str );

It works fine and preg_replace seems quick enough even on an ancient K6/350 I have.
Please note that it prevents ALL user-generated CSS from appearing.

---
Lucas Thompson
sardu_AT_mac.com

---
Lucas Thompson, sardu@mac,com

Fix... NOT

Authored by: sardu on Friday, January 31 2003 @ 12:13 am EST

Doh!... that actually only fixes it if the user writes nice clean HTML with no spaces before/after the = sign.

I'm thinking maybe phpfilter should be integrated instead, it still lets images from the main site get loaded (allowing you to disable a page with a 2000x2000 pixel repeating pattern of the site logo) but I've contacted the author about it.

Anyone have other suggestions?

---
Lucas Thompson
sardu_AT_mac.com

---
Lucas Thompson, sardu@mac,com

Geeklog

Search

Resources

About

Getting started

Support

Development

Topics

User Functions

What's New

Articles last 4 weeks

Comments last 4 weeks

Pages last 4 weeks

Links last 4 weeks

Downloads last 4 weeks