| blob | 1bfc2fe2bed1fdc917554890a7b1a9638b2e0e0a |
4 <head>
8 filtering, HTML_Safe, PEAR, comparison, kses, striptags,
14 <!--[if lt IE 7.]><script defer="defer" type="text/javascript" src="./pngfix.js"></script><![endif]-->
15 </head>
16 <body>
21 <div id="header"><a href="./"><span class="html">HTML</span> <span class="purifier">Purifier</span></a></div>
27 gone from passive consumer to active producer of content on the World Wide
31 put the user in control.</p>
33 <p>Give the user too much control, however, and you set yourself up
37 has proven to be both a blessing and a curse, and the software that processes
38 it must strike a fine balance between security and usability. How do
39 we prevent users from injecting JavaScript or inserting malformed
41 a rich syntax of tags, attributes and <acronym
45 about sloppy coding messing up <acronym
48 developer has come across this problem before, and many have tried
49 (albeit unsuccessfully) to solve this problem. We will analyze existing
50 libraries to demonstrate how they are ineffective and, of course,
51 how HTML Purifier solves all our problems and achieves world peace.</p>
53 <p>I will take no quarter and pull no punches: as of the time of writing,
55 for richly formatted documents. However, it's important to note HTML
57 There are cases in which HTML Purifier is overkill, in such situations,
58 use the tool best suited for the job.</p>
66 </blockquote>
70 they are the number one method of taking user input and processing it into
71 something more than plain old text. These libraries forgo
77 such markup languages (although it should be noted that
78 Wikitext and Markdown can allow
80 The benefits (to those who use it, anyway) are clear: simplicity and
81 security.
82 </p>
84 <table>
85 <thead>
86 <tr>
89 </tr>
90 </thead>
91 <tbody>
92 <tr>
95 </tr>
96 <tr>
99 </tr>
100 <tr>
103 </tr>
104 <tr>
107 </tr>
108 <tr>
110 <td><tt><b>B</b> <i>i</i> <a href="http://www.example.com/">link</a></tt></td>
111 </tr>
112 <tr>
115 </tr>
116 </tbody>
117 </table>
122 There are many variants of Wikitext currently extant.</li>
123 <li>Strictly speaking, the Markdown syntax is not equivalent: bold text
126 however, map those two semantic tags to the associated styling, so
127 many users assume that it really is italics (and use it improperly for,
128 say, book titles.)</li>
129 </ol>
134 source
135 code is often criticized for being difficult to read. For example,
136 compare:</p>
138 <pre>
139 * Item 1
140 * Item 2
141 </pre>
145 <pre>
150 </pre>
152 <p>The difference seems obvious. However, there is something called a
154 which blows both cases out of the water in terms
155 of usability. And, when push comes to shove, it is far easier to
156 implement this sort of editor on top of <acronym
158 markup language. And in the cases when it is done, you usually end up with
159 a live preview, not a true rich text editor.</p>
164 editors aren't all that great." There are many good arguments
165 against these editors, and intelligent people have written essays devoted to
167 In a web context, no JavaScript means no
168 editor, and just like when the power is out you must type in the code
169 manually. I will, however, dispel one common objection, that is, that
170 these editors
172 this is the case with any markup language that allows the smallest
175 A good way to mitigate this trouble is to simply eliminate the
176 dialogue boxes that allow users to change colors or fonts (which
177 usually have no legitimate use) and adopt a
179 allowing users to select contextually correct formatting styles
180 for segments of text.</p>
181 </blockquote>
183 <p>Simplicity is also a double-edged sword. The moment any remotely
184 complex markup is needed, these lightweight markup languages fail to
185 produce. Sure you can make '''this text bold''' with Wikitext, but that
188 These languages face the same troubles as regular <acronym
190 whitelist is too restrictive (besides the fact that their table markup
191 is extraordinarily complex).</p>
197 the angled brackets with square brackets and omitting the occasional parameter
198 name? How much more un-original can you get? Somehow, I don't think BBCode
199 was meant to readable. <a
202 <blockquote>
203 BBCode was devised and put to use in order to provide a safer, easier
204 and more limited way of allowing users to format their messages.
205 Previously, many message boards allowed the users to include HTML,
206 which could be used to break/imitate parts of the layout, or run
207 JavaScript. Some implementations of BBCode have suffered problems related
208 to the way they translate the BBCode into HTML, which could negate the
209 security that was intended to be given by BBCode.
210 </blockquote>
214 <blockquote>
215 BBCode came to life when developers where too lazy to parse HTML correctly
216 and decided to invent their own markup language. As with all products of
217 laziness, the result is completely inconsistent, unstandardized, and
218 widely adopted.
219 </blockquote>
221 <p>Well, developers, the whole point of HTML Purifier is that I do the
222 work so you can just execute the ridiculously simple
228 <p>These alternative markup languages have their shiny points, and HTML
229 Purifier is not meant to replace them. However, a major reason for
231 using these languages?</p>
237 neat enough, at least, to make it into PHP as a
239 The premise is simple, the execution effective. Tidy is, in short, a great
242 <p>It is not, however, a filter. I am often surprised when people ask
247 Tidy reads HTML, XHTML and XML files and writes cleaned up markup. For
248 HTML variants, it detects and corrects many common coding errors and
249 strives to produce visually equivalent markup that is both W3C compliant
250 and works on most browsers. A common use of Tidy is to convert plain HTML
251 to XHTML.
252 </blockquote>
261 <p>This is not to say that I haven't seen Tidy be used in this sort of
262 fashion. MediaWiki, for instance, uses Tidy to cleanup the final HTML
263 output before shuttling it off to the browser. The developers, nevertheless,
264 agree that this is only a band-aid solution, and that the real way
265 to fix it is to fix the parser. Tidy's great, but in terms of security,
266 it's unsuited for untrusted sources.</p>
270 <p>I've ordered my analyses according to how bad a library is. The worst
271 is first, and then we move up the spectrum. I will point out the most
272 flagrant problems with the libraries, but note that I will omit more
274 attribute, I really shouldn't reprimand you for letting non-SGML code
275 points through. The ideal solution, however, must do all these things.</p>
285 </table>
289 the classic solution for attempting to clean up
292 The fact that it doesn't validate attributes at all means that anyone can
294 this can be bandaided with a series of regular expressions that strip out
295 on[event] (you're still vulnerable to <acronym
297 quirky browser behavior), striptags() is fundamentally flawed and should not be
298 used.
299 </p>
305 is a souped up version of striptags() with the ability to inspect
306 attributes. (Don't mind the hastily tacked on query escaping function).</p>
319 </table>
321 <p>PHP Input Filter implements an
323 performs very basic checks on whether or not tags and attributes have
324 been defined in the whitelist as well as some smarter <acronym
326 the user to define what they'll permit.</p>
328 <p>With absolutely no checking of well-formedness, it is trivially easy
329 to trick the filter into leaving unclosed tags lying around. While
331 basic sanity checks like this must be implemented.</p>
333 <p>More troubles: Woe to
335 just let <acronym
337 layout not to be badly mutilated. To top things off,
338 the filter doesn't even preserve data properly: attributes have all
339 spaces stripped out of them. Stay away, stay away!</p>
346 filtering library.
347 It should be noted that this is the same library as
349 branding (and a different version number).</p>
362 </table>
364 <p>HTML_Safe's mechanism of action involves parsing
367 validation and filtering as the handlers are called. HTML_Safe does a lot
370 is fundamentally flawed: blacklists.</p>
372 <p>This library maintains arrays of dangerous tags, attributes and
374 has a blacklist of dangerous <acronym
376 intelligently disabled by default in favor of a protocol whitelist.)
377 What this means is that HTML_Safe has no qualms of accepting input
379 the tags in those arrays. Scratch standards-compliance (and that was
380 without even considering proper nesting).</p>
382 <p>For now, HTML_Safe might be safe from
384 In the future, however, one of the infinitely many tags that HTML_Safe lets
385 through might just possibly be given special functionality by browser vendors.
387 solution puts you at a perpetual arms race against crackers who are constantly
388 discovering new and inventive ways to abuse tags and attributes that you
389 didn't blacklist.</p>
394 be the de-facto solution for cleaning
410 </table>
412 <p>To be truthful, I didn't do as comprehensive a code survey for kses
413 as I did for some of the other libraries. Out of
414 all the classes I've reviewed so far, kses was definitely the hardest to
415 understand.</p>
417 <p>kses's modus operandi is splitting up html with a monster regexp
419 suffers from the same problems as Input Filter: no well-formedness
420 checks leading to rampant runaway tags (and no standards-compliance).</p>
422 <p>Its whitelist syntax, however, is the most complex of all these libraries,
423 so I'm going to take some time to argue why this particular implementation
424 is bad. The author of this library was thoughtful enough to provide some
425 basic constraint checks on attributes like maxlen and maxval. Now, barring
426 the fact that there simply aren't enough checks, and the fact that they are
427 all lumped together in one function, we now must wonder whether or not
428 the user will go through the trouble of specifying the maximum length
429 of a title attribute.</p>
431 <p>I have my opinions about inherent human laziness, but perhaps WordPress's
432 default filterset is the most telling example:</p>
434 <pre>
435 $allowedposttags = array (
436 /* formatted and trimmed */
437 'hr' => array (
438 'align' => array (),
439 'noshade' => array (),
440 'size' => array (),
441 'width' => array ()
442 )
443 );
444 </pre>
446 <p>Hmm... do I see a blatant lack of attribute constraints? Conclusion:
447 if the user can get away with not doing work, they will! The biggest
449 the whitelist. The whitelist is just as important as the code that uses
450 the whitelist to filter
457 HTML Checker</a> is (to my knowledge) the first attempt to make a filter
458 that also outputs standards-compliant XHTML. It wasn't even released or
460 search result must have done something right.</p>
473 </table>
475 <p>Indeed, it is quite a well-written piece of code. It demonstrates
476 knowledge of inline versus block elements, thus almost nearly getting
477 nesting correct (the only exception is an unimplemented omitted SGML
480 <p>Unfortunately, part of the reason why it works so well is that it's
481 extremely restrictive. No styling, no tables, very few attributes.
482 Perfectly appropriate for blog comments, but then again, there's always
483 BBCode. This probably means that Safe HTML Checker has a different
484 goal than HTML Purifier.</p>
487 is also quite strict. Accidentally missed a < sign? The parser will
488 complain with the cryptic message:
490 is not well-formed".
491 The solution is not as simple as just switching to a more permissive
492 parser: Safe HTML Checker relies on the fact that the parser will have
493 matched up the tags for them.</p>
508 </table>
518 </table>
520 <p>This is not to say that HTML Purifier doesn't have problems of its own.
521 It's a fairly nascent library (so there's bound to bugs), it's big
522 (while the others usually fit in one file, this one requires a huge
524 features.</a> A big thing I would like to see added to this library is
525 multiple levels of filtering: from a super-permissive lint mode
526 to a super-restrictive blog comment mode. But even in its current state,
527 HTML Purifier is far better than the other libraries.</p>
531 </div>
532 </body>
533 </html>