| blob | 50b4d0c4d882240e7ca435e98ecd2f4b65d72bfe |
3 "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd" [
5 ]>
14 <head>
17 <meta name="keywords" content="HTMLPurifier, HTML Purifier, HTML, filter, filtering, HTML_Safe, PEAR, comparison, kses, striptags, SafeHTMLChecker" />
18 </head>
19 <body>
26 <p>
28 the end user has gone from passive consumer to active producer of content
32 </p>
34 <p>
35 Give the user too much control, however, and you set yourself up for <a
38 proven to be both a blessing and a curse, and the software that
39 processes it must strike a fine balance between security and usability.
40 How do we prevent users from injecting JavaScript or inserting malformed
45 come across this problem before, and many have tried (albeit
46 unsuccessfully) to solve this problem. We will analyze existing
47 libraries to demonstrate how they are ineffective and, of course, how
49 standards-compliance.
50 </p>
52 <p>
53 I will take no quarter and pull no punches: as of the time of writing,
55 for richly formatted documents. But, nonetheless, there is a necessary
56 disclaimer:
57 </p>
60 <p>
61 This comparison document was written by the author of HTML Purifier,
63 mean that it is biased: I have made every attempt to be <strong>factual and
64 fair</strong>, and I hope that you will agree, by the time you finish reading
66 filter out there today.
67 </p>
68 </div>
79 <thead>
80 <tr>
92 </tr>
93 </thead>
95 <tbody>
97 <tr>
109 </tr>
111 <tr>
123 </tr>
125 <tr>
137 </tr>
139 <tr>
151 </tr>
153 <tr>
165 </tr>
167 <tr>
179 </tr>
181 <tr>
193 </tr>
195 </tbody>
197 </table>
198 </div>
200 <p>
203 </p>
209 A clever person solves a problem.
210 A wise person avoids it.
211 </div>
213 </blockquote>
215 <p>
216 Before we jump into the weird and not-so-wonderful world of
220 number one method of taking user input and processing it into something
222 define their own markup syntax. <a
227 such markup languages (although it should be noted that Wikitext and
229 those who use it, anyway) are clear: simplicity and security.
230 </p>
233 <thead>
234 <tr>
237 </tr>
238 </thead>
239 <tbody>
240 <tr>
243 </tr>
244 <tr>
247 </tr>
248 <tr>
251 </tr>
252 <tr>
255 </tr>
256 <tr>
258 <td><tt><b>B</b> <i>i</i> <a href="http://www.example.com/">link</a></tt></td>
259 </tr>
260 <tr>
263 </tr>
264 </tbody>
265 </table>
268 <li>
269 Wikitext shown is modeled after <a
271 There are many variants of Wikitext currently extant.
272 </li>
273 <li>
274 Strictly speaking, the Markdown syntax is not equivalent: bold text
277 however, map those two semantic tags to the associated styling, so
278 many users assume that it really is italics (and use it improperly for,
279 say, book titles.)
280 </li>
281 </ol>
285 <p>
287 read. For example, compare:
288 </p>
290 <pre>
291 * Item 1
292 * Item 2
293 </pre>
297 <pre>
302 </pre>
304 <p>
305 Which would you prefer to edit? The answer seems obvious, but be careful
306 not to fall into the fallacy of <a
309 text) editor, which blows earlier choices out of the water in terms of
310 usability.
311 </p>
313 <p>
314 Note that rich text editors and alternate markup syntaxes are not
315 mutually exclusive, but, when push comes to shove, it's easier
317 markup language. And in the cases when it is done, you usually end up with
318 a live preview, not a true rich text editor.
319 </p>
322 <p>
324 editors aren't all that great.</q> There are many good arguments against
325 these editors, and <a
327 people have written essays</a> devoted to criticizing
329 said editors, the web poses another limitation: no JavaScript means no
330 editor, and no editor means... (gasp) manually typing in code.
331 </p>
332 <p>
333 Even the most dogmatic purist, however, should recognize that for all
335 There are steps you can take to mitigate the associated drawbacks of
336 these editors.
337 </p>
338 <p>
341 this is the case with any markup language that allows the smallest
344 eliminate the dialogue boxes that allow users to change colors or fonts
346 scheme, allowing users to select contextually correct formatting styles
347 for segments of text.
348 </p>
349 </blockquote>
351 <p>
352 Simplicity is also a double-edged sword. The moment any remotely
353 complex markup is needed, these lightweight markup languages fail to
354 produce. Sure you can make '''this text bold''' with Wikitext, but that
358 restrictive (besides the fact that their table markup is extraordinarily
359 complex).
360 </p>
364 <p>
367 the angled brackets with square brackets and omitting the occasional parameter
368 name? How much more un-original can you get? Somehow, I don't think BBCode
369 was meant to readable. <a
371 </p>
373 <blockquote>
374 BBCode was devised and put to use in order to provide a safer, easier
375 and more limited way of allowing users to format their messages.
377 which could be used to break/imitate parts of the layout, or run
378 JavaScript. Some implementations of BBCode have suffered problems related
380 security that was intended to be given by BBCode.
381 </blockquote>
385 <blockquote>
386 BBCode came to life when developers where too
388 and decided to invent their own markup language. As with all products of
389 laziness, the result is completely inconsistent, unstandardized, and
390 widely adopted.
391 </blockquote>
393 <p>
394 Well, developers, the whole point of HTML Purifier is that I do the
395 work so you can just execute the ridiculously simple
398 </p>
402 <p>
403 These alternative markup languages have their shiny points, and HTML
404 Purifier is not meant to replace them. However, a major reason for
406 using these languages?
407 </p>
411 <p>
412 Dave Raggett's
416 The premise is simple, the execution effective. Tidy is, in short, a great
418 </p>
420 <p>
421 It is not, however, a filter. I am often surprised when people ask
424 </p>
433 </blockquote>
435 <p>
442 </p>
444 <p>
445 This is not to say that I haven't seen Tidy be used in this sort of
447 output before shuttling it off to the browser. The developers, nevertheless,
448 agree that this is only a band-aid solution, and that the real way
449 to fix it is to fix the parser. Tidy's great, but in terms of security,
450 it's not suitable for untrusted sources.
451 </p>
455 <p>
456 I've ordered my analyses according to how bad a library is. The worst
457 is first, and then we move up the spectrum. I will point out the most
458 flagrant problems with the libraries, but note that I will omit more
461 points through. The ideal solution, however, must do all these things.
462 </p>
464 <p>
465 Note that besides striptags,
467 attacks. None of them (save Safe HTML Checker) fare very well
468 in the standards-compliance department though.
469 </p>
479 </table>
481 <p>
484 the classic solution for attempting to clean up
487 The fact that it doesn't validate attributes at all means that anyone can
489 </p>
491 <p>
492 While this can be bandaided with a series of regular expressions that strip out
494 quirky browser behavior), striptags() is fundamentally flawed and should not be
495 used.
496 </p>
500 <p>
501 Though its title may not imply it,
503 is a souped up version of striptags() with the ability to inspect
504 attributes. (Don't mind the hastily tacked on query escaping function).
505 </p>
518 </table>
520 <p>
521 PHP Input Filter implements an
523 performs very basic checks on whether or not tags and attributes have
524 been defined in the whitelist as well as some
526 the user to define what they'll permit.
527 </p>
529 <p>
530 With absolutely no checking of well-formedness, it is trivially easy
531 to trick the filter into leaving unclosed tags lying around. While to some
533 basic sanity checks like this must be implemented, otherwise a user
534 can mangle a website's layout.
535 </p>
537 <p>
538 More troubles: Woe to
541 layout not to be badly mutilated. To top things off,
542 the filter doesn't even preserve data properly: attributes have all
543 spaces stripped out of them. Stay away, stay away!
544 </p>
548 <p>
551 It should be noted that this is the same library as
553 branding (and a different version number).
554 </p>
567 </table>
569 <p>
570 HTML_Safe's mechanism of action involves parsing
573 validation and filtering as the handlers are called. HTML_Safe does a lot
576 is fundamentally flawed: blacklists.
577 </p>
579 <p>
580 This library maintains arrays of dangerous tags, attributes and
583 intelligently disabled by default in favor of a protocol whitelist.)
584 What this means is that HTML_Safe has no qualms of accepting input
586 the tags in those arrays. Scratch standards-compliance (and that was
587 without even considering proper nesting).
588 </p>
590 <p>
592 In the future, however, one of the infinitely many tags that HTML_Safe lets
593 through might just possibly be given special functionality by browser vendors.
595 solution puts you at a perpetual arms race against crackers who are constantly
596 discovering new and inventive ways to abuse tags and attributes that you
597 didn't blacklist.
598 </p>
602 <p>
607 </p>
620 </table>
622 <p>
623 To be truthful, I didn't do as comprehensive a code survey for kses
624 as I did for some of the other libraries. Out of
625 all the classes I've reviewed so far, kses was definitely the hardest to
626 understand.
627 </p>
629 <p>
630 kses's modus operandi is splitting up html with a monster regexp
632 suffers from the same problems as Input Filter: no well-formedness
633 checks leading to rampant runaway tags (and no standards-compliance).
634 WordPress, the primary user of kses today, had to implement their
635 own custom tag-balancing code to fix this problem: don't use this
636 library without some equivalent!
637 </p>
639 <p>
640 Its whitelist syntax, however, is the most complex of all these libraries,
641 so I'm going to take some time to argue why this particular implementation
642 is bad. The author of this library was thoughtful enough to provide some
643 basic constraint checks on attributes like maxlen and maxval. Now, barring
644 the fact that there simply aren't enough checks, and the fact that they are
645 all lumped together in one function, we now must wonder whether or not
646 the user will go through the trouble of specifying the maximum length
647 of a title attribute.
648 </p>
650 <p>
651 I have my opinions about inherent human laziness, but perhaps WordPress's
652 default filterset is the most telling example:
653 </p>
655 <pre>
656 $allowedposttags = array (
657 /* formatted and trimmed */
658 'hr' => array (
659 'align' => array (),
660 'noshade' => array (),
661 'size' => array (),
662 'width' => array ()
663 )
664 );
665 </pre>
667 <p>
668 Hmm... do I see a blatant lack of attribute constraints? Conclusion:
669 if the user can get away with not doing work, they will! The biggest
671 the whitelist. The whitelist is just as important as the code that uses
673 </p>
677 <p>
678 <a href="http://www.bioinformatics.org/phplabware/internal_utilities/htmLawed/index.php">htmLawed</a>
679 is kses on steroids. After looking at HTML Purifier and deciding that it was
680 too slow for him, Santosh Patnaik went ahead and rewrote the kses engine
681 with more features. It is the only other filtering library currently available
682 that is being actively maintained.
683 </p>
696 </table>
698 <p>
701 output. Unfortunately, it is vulnerable to a few of the vectors in
703 cheat-sheet.</a> I have not listed them here to give the vendor a chance
704 to fix these issues.
705 </p>
707 <p>
708 htmLawed improves standards-compliance, but it is not fully standards-compliant;
709 there are a number of cases which the author has explicitly stated he will not
710 fix. There are issues with content
713 </p>
715 <p>
719 to turn on htmLawed's security features! This is
721 design</a>. Sane defaults are important, because for every person who
722 does read the documentation, there is
724 one who doesn't (and is mislead by claims that <q>htmLawed is a single-file PHP
725 software that makes input text secure</q>), and is
726 surprised at some behavior.
728 any security restrictions.
729 </p>
731 <p>
732 I also disagree with some of the choices with regards to what elements are
735 but they are certainly not phishing safe. An attacker can set an iframe
736 to 100% width and height and effectively take over a website; forms can be
739 </p>
741 <p>
742 Users, you may be smarting for some better performance, but avoid this
743 library for now, at the very least until the vulnerabilities are fixed.
744 </p>
748 <p>
750 HTML Checker</a> is (to my knowledge) the first attempt to make a filter
753 search result must have done something right.
754 </p>
767 </table>
769 <p>
770 Indeed, it is quite a well-written piece of code. It demonstrates
771 knowledge of inline versus block elements, thus almost nearly getting
772 nesting correct (the only exception is an unimplemented omitted SGML
774 </p>
776 <p>
777 Unfortunately, part of the reason why it works so well is that it's
778 extremely restrictive. No styling, no tables, very few attributes.
779 Perfectly appropriate for blog comments, but then again, there's always
780 BBCode. This probably means that Safe HTML Checker has a different
781 goal than HTML Purifier.
782 </p>
784 <p>
786 < sign? The parser will complain with the cryptic message:
788 simple as just switching to a more permissive parser: Safe HTML Checker
789 relies on the fact that the parser will have matched up the tags for
790 them.
791 </p>
806 </table>
808 <p>
809 That table should say it all, but I'll add a few more features:
810 </p>
822 </table>
824 <p>
825 This is not to say that HTML Purifier doesn't have problems of its own.
826 It's big (while the others usually fit in one file, this one requires a huge
828 features.</a> But even with these deficiencies,
829 HTML Purifier is far better than the other libraries.
830 </p>
832 <p>
834 </p>
836 </div>
837 </body>
838 </html>