| blob | d471a898a950ff0d3116bc21ec08037c2fc53a51 |
5 <head>
8 <meta name="keywords" content="HTMLPurifier, HTML Purifier, HTML, filter, filtering, HTML_Safe, PEAR, comparison, kses, striptags, SafeHTMLChecker" />
13 <!--[if lt IE 7.]><script defer="defer" type="text/javascript" src="./pngfix.js"></script><![endif]-->
14 </head>
15 <body>
20 <div id="header"><a href="./"><span class="html">HTML</span> <span class="purifier">Purifier</span></a></div>
25 gone from passive consumer to active producer of content on the World Wide
29 put the user in control.</p>
31 <p>Give the user too much control, however, and you set yourself up
32 for <a href="http://en.wikipedia.org/wiki/Cross-site_scripting"><acronym>XSS</acronym></a> attacks. For this reason,
34 has proven to be both a blessing and a curse, and the software that processes
35 it must strike a fine balance between security and usability. How do
36 we prevent users from injecting JavaScript or inserting malformed
43 developer has come across this problem before, and many have tried
44 (albeit unsuccessfully) to solve this problem. We will analyze existing
45 libraries to demonstrate how they are ineffective and, of course,
47 standards-compliance.</p>
49 <p>I will take no quarter and pull no punches: as of the time of writing,
51 for richly formatted documents. But, nonetheless, there is a necessary
52 disclaimer:</p>
55 This comparison document was written by the author of HTML Purifier,
57 mean that it is biased: I have made every attempt to be <strong>factual and
58 fair</strong>, and I hope that you will agree, by the time you finish reading
59 this document, that HTML Purifier is the only satisfactory HTML
60 filter out there today.
61 </p>
72 <thead>
73 <tr>
85 </tr>
86 </thead>
88 <tbody>
90 <tr>
102 </tr>
104 <tr>
116 </tr>
118 <tr>
130 </tr>
132 <tr>
144 </tr>
146 <tr>
158 </tr>
160 <tr>
172 </tr>
174 </tbody>
176 </table>
177 </div>
179 <p class="lead"><a href="#Tidy">HTML Tidy</a> is omitted from this list because it is not an <acronym>HTML</acronym>
180 filter.</p>
186 A clever person solves a problem.
187 A wise person avoids it.
188 </div>
190 </blockquote>
194 markup libraries. While libraries of this type really shouldn't be
196 they are the number one method of taking user input and processing it into
197 something more than plain old text. These libraries forgo
203 such markup languages (although it should be noted that
204 Wikitext and Markdown can allow
206 The benefits (to those who use it, anyway) are clear: simplicity and
207 security.
208 </p>
211 <thead>
212 <tr>
215 </tr>
216 </thead>
217 <tbody>
218 <tr>
221 </tr>
222 <tr>
225 </tr>
226 <tr>
229 </tr>
230 <tr>
233 </tr>
234 <tr>
236 <td><tt><b>B</b> <i>i</i> <a href="http://www.example.com/">link</a></tt></td>
237 </tr>
238 <tr>
241 </tr>
242 </tbody>
243 </table>
248 There are many variants of Wikitext currently extant.</li>
249 <li>Strictly speaking, the Markdown syntax is not equivalent: bold text
252 however, map those two semantic tags to the associated styling, so
253 many users assume that it really is italics (and use it improperly for,
254 say, book titles.)</li>
255 </ol>
260 source code is often criticized for being difficult to read. For example,
261 compare:</p>
263 <pre>
264 * Item 1
265 * Item 2
266 </pre>
270 <pre>
275 </pre>
277 <p>Which would you prefer to edit? The answer seems obvious, but be careful
278 not to fall into the fallacy of <a
282 editor, which blows earlier choices out of the water in terms
283 of usability.</p>
285 <p>Note that rich text editors and alternate markup syntaxes are not
286 mutually exclusive, but, when push comes to shove, it's easier
288 markup language. And in the cases when it is done, you usually end up with
289 a live preview, not a true rich text editor.</p>
294 editors aren't all that great.</q> There are many good arguments
295 against these editors, and <a
297 people have written essays</a> devoted to
299 In addition to the usual arguments against said editors, the web poses
300 another limitation: no JavaScript means no
301 editor, and no editor means... (gasp) manually typing in code.</p>
303 <p>Even the most dogmatic purist, however, should recognize that for all
305 There are steps you can take to mitigate the associated drawbacks of
306 these editors.</p>
308 <p>It is often asserted that
311 this is the case with any markup language that allows the smallest
314 A good way to reduce this trouble is to simply eliminate the
315 dialogue boxes that allow users to change colors or fonts (which
316 usually have no legitimate use) and adopt a
318 allowing users to select contextually correct formatting styles
319 for segments of text.</p>
320 </blockquote>
322 <p>Simplicity is also a double-edged sword. The moment any remotely
323 complex markup is needed, these lightweight markup languages fail to
324 produce. Sure you can make '''this text bold''' with Wikitext, but that
328 filters in that their whitelist is too restrictive (besides the fact that
329 their table markup is extraordinarily complex).</p>
335 the angled brackets with square brackets and omitting the occasional parameter
336 name? How much more un-original can you get? Somehow, I don't think BBCode
337 was meant to readable. <a
340 <blockquote>
341 BBCode was devised and put to use in order to provide a safer, easier
342 and more limited way of allowing users to format their messages.
344 which could be used to break/imitate parts of the layout, or run
345 JavaScript. Some implementations of BBCode have suffered problems related
347 security that was intended to be given by BBCode.
348 </blockquote>
352 <blockquote>
353 BBCode came to life when developers where too
355 and decided to invent their own markup language. As with all products of
356 laziness, the result is completely inconsistent, unstandardized, and
357 widely adopted.
358 </blockquote>
360 <p>Well, developers, the whole point of HTML Purifier is that I do the
361 work so you can just execute the ridiculously simple
367 <p>These alternative markup languages have their shiny points, and HTML
368 Purifier is not meant to replace them. However, a major reason for
370 using these languages?</p>
378 The premise is simple, the execution effective. Tidy is, in short, a great
381 <p>It is not, however, a filter. I am often surprised when people ask
392 </blockquote>
401 <p>This is not to say that I haven't seen Tidy be used in this sort of
403 output before shuttling it off to the browser. The developers, nevertheless,
404 agree that this is only a band-aid solution, and that the real way
405 to fix it is to fix the parser. Tidy's great, but in terms of security,
406 it's not suitable for untrusted sources.</p>
410 <p>I've ordered my analyses according to how bad a library is. The worst
411 is first, and then we move up the spectrum. I will point out the most
412 flagrant problems with the libraries, but note that I will omit more
415 points through. The ideal solution, however, must do all these things.</p>
417 <p>Note that besides striptags,
419 attacks. None of them (save Safe HTML Checker) fare very well
420 in the standards-compliance department though.</p>
430 </table>
434 the classic solution for attempting to clean up
437 The fact that it doesn't validate attributes at all means that anyone can
440 <p>While
441 this can be bandaided with a series of regular expressions that strip out
443 quirky browser behavior), striptags() is fundamentally flawed and should not be
444 used.
445 </p>
451 is a souped up version of striptags() with the ability to inspect
452 attributes. (Don't mind the hastily tacked on query escaping function).</p>
465 </table>
467 <p>PHP Input Filter implements an
469 performs very basic checks on whether or not tags and attributes have
470 been defined in the whitelist as well as some
472 the user to define what they'll permit.</p>
474 <p>With absolutely no checking of well-formedness, it is trivially easy
475 to trick the filter into leaving unclosed tags lying around. While to some
477 basic sanity checks like this must be implemented, otherwise a user
478 can mangle a website's layout.</p>
480 <p>More troubles: Woe to
483 layout not to be badly mutilated. To top things off,
484 the filter doesn't even preserve data properly: attributes have all
485 spaces stripped out of them. Stay away, stay away!</p>
491 It should be noted that this is the same library as
493 branding (and a different version number).</p>
506 </table>
508 <p>HTML_Safe's mechanism of action involves parsing
511 validation and filtering as the handlers are called. HTML_Safe does a lot
514 is fundamentally flawed: blacklists.</p>
516 <p>This library maintains arrays of dangerous tags, attributes and
519 intelligently disabled by default in favor of a protocol whitelist.)
520 What this means is that HTML_Safe has no qualms of accepting input
522 the tags in those arrays. Scratch standards-compliance (and that was
523 without even considering proper nesting).</p>
525 <p>For now, HTML_Safe might be safe from
527 In the future, however, one of the infinitely many tags that HTML_Safe lets
528 through might just possibly be given special functionality by browser vendors.
530 solution puts you at a perpetual arms race against crackers who are constantly
531 discovering new and inventive ways to abuse tags and attributes that you
532 didn't blacklist.</p>
552 </table>
554 <p>To be truthful, I didn't do as comprehensive a code survey for kses
555 as I did for some of the other libraries. Out of
556 all the classes I've reviewed so far, kses was definitely the hardest to
557 understand.</p>
559 <p>kses's modus operandi is splitting up html with a monster regexp
561 suffers from the same problems as Input Filter: no well-formedness
562 checks leading to rampant runaway tags (and no standards-compliance).
563 WordPress, the primary user of kses today, had to implement their
564 own custom tag-balancing code to fix this problem: don't use this
565 library without some equivalent!</p>
567 <p>Its whitelist syntax, however, is the most complex of all these libraries,
568 so I'm going to take some time to argue why this particular implementation
569 is bad. The author of this library was thoughtful enough to provide some
570 basic constraint checks on attributes like maxlen and maxval. Now, barring
571 the fact that there simply aren't enough checks, and the fact that they are
572 all lumped together in one function, we now must wonder whether or not
573 the user will go through the trouble of specifying the maximum length
574 of a title attribute.</p>
576 <p>I have my opinions about inherent human laziness, but perhaps WordPress's
577 default filterset is the most telling example:</p>
579 <pre>
580 $allowedposttags = array (
581 /* formatted and trimmed */
582 'hr' => array (
583 'align' => array (),
584 'noshade' => array (),
585 'size' => array (),
586 'width' => array ()
587 )
588 );
589 </pre>
591 <p>Hmm... do I see a blatant lack of attribute constraints? Conclusion:
592 if the user can get away with not doing work, they will! The biggest
594 the whitelist. The whitelist is just as important as the code that uses
601 HTML Checker</a> is (to my knowledge) the first attempt to make a filter
604 search result must have done something right.</p>
617 </table>
619 <p>Indeed, it is quite a well-written piece of code. It demonstrates
620 knowledge of inline versus block elements, thus almost nearly getting
621 nesting correct (the only exception is an unimplemented omitted SGML
624 <p>Unfortunately, part of the reason why it works so well is that it's
625 extremely restrictive. No styling, no tables, very few attributes.
626 Perfectly appropriate for blog comments, but then again, there's always
627 BBCode. This probably means that Safe HTML Checker has a different
628 goal than HTML Purifier.</p>
631 is also quite strict. Accidentally missed a < sign? The parser will
632 complain with the cryptic message:
634 is not well-formed</q>.
635 The solution is not as simple as just switching to a more permissive
636 parser: Safe HTML Checker relies on the fact that the parser will have
637 matched up the tags for them.</p>
652 </table>
663 </table>
665 <p>This is not to say that HTML Purifier doesn't have problems of its own.
666 It's a fairly nascent library (that doesn't mean its buggy though), it's big
667 (while the others usually fit in one file, this one requires a huge
669 features.</a> But even in its current state,
670 HTML Purifier is far better than the other libraries.</p>
674 </div>
675 </body>
676 </html>