I am making a small website and i am going to allow people to make profiles, in the profiles i want to allow them to use html codes to fix their profiles up like with music players, and images and scroll boxes stuff like that.

And i am having a hard time understanding how to do it, i was going to make 2 arrays one with bad codes and replace them with good codes in the other array with preg_replace() but i am not understanding how do i make it look for bad code that could be written in many way.

Could someone give me an example of how i would do this?

strip out

HTML Code:

<iframe> </iframe>

and

HTML Code:

<script></script>

tags

Are those the only two codes that people could use for xss attacks?

Because i was looking on some websites and they were showing all types of different codes that people put xss in and i want to make sure no one will put that stuff into the codes they put on my site.

pretty much. Everything else is just markup code.

What would happen if someone put in a code like this below?

HTML Code:

<IMG SRC=javascript:alert("XSS")>

What can i do to stop codes like that?

replace "javascript" with the equivalent ASCII entities

106 97 118 97 115 99 114 105 112 116

prepend "&#" and append ";" to each number

or just add a space

PHP Code:

str_replace("javascript:","java script:",$input) 


You can provide all problems only if you will use BB code!

I have never heard of ASCII entities before how do they help against xss?

Nope;

they just replace ASCII character with a browser renderable equivalent but "break" the "executable" aspect of the markup/source.

so j looks like "j" but will break a script tag (view the source code to see what I mean) )

http://www.w3schools.com/tags/ref_entities.asp

strip_tags() will strip all HTML tags by default, but you can make exceptions in the optional second parameter. I suggest you use this function, then make a limited list of what you will allow your users to utilize.

Quote:

Originally Posted by wayfarer07

strip_tags() will strip all HTML tags by default, but you can make exceptions in the optional second parameter. I suggest you use this function, then make a limited list of what you will allow your users to utilize.

Make sure to keep in mind that strip_tags does not remove attributes from allowed tags. A user can still insert a tag with onclick, mouseover, etc attributes.

Also, if you want to convert characters to their ASCII equivalent you can use the ord() function. Ex:

PHP Code:

echo '&#' . ord('j');
//will output &#106 and will appear as the character j in the browser 


Quote:

Originally Posted by NullPointer

Make sure to keep in mind that strip_tags does not remove attributes from allowed tags. A user can still insert a tag with onclick, mouseover, etc attributes.

Someone on the strip_tags page wrote a simple function that does just that, however: http://us2.php.net/manual/en/functio...tags.php#91498

Ok this is what i have so far

PHP Code:

<?php
// below is the string to searh for bad words in
$text = '<IMG SRC=javascript:alert("XSS")>';
// below is the words to look for
$find = array("javascript:",
              "alert",
              "onload");
// below is the words that they will replace          
$replace = array("javascript", // this will be ASCII characters
                 "alert", // this will be ASCII characters
                 "onload"); // this will be ASCII characters         
$filtered = str_ireplace($find,$replace,$text);
echo $filtered;
?>

now the above code does work but i have seen xss that uses other numbers in it and the above code does not do nothing to those xss attacks like below

PHP Code:

<A HREF="http://%77%77%77%2E%67%6F%6F%67%6C%65%2E%63%6F%6D">XSS</A>

or 

<A HREF="http://0x42.0x0000066.0x7.0x93/">XSS</A> 


all that the above codes do is makes links, and i am assuming that when the person clicks that link something will happen.

below are all the codes that i want to allow people to have, any other code they use will be stripped out.

HTML Code:

<b><i><a><ul><li><hr><img><br><center><font><table><tr><td>
<p<div<object><param><embed><bgsound>

Now my question is what words do i filter out? or what characters should i replace with the ascii characters?

in reality the ONLY character you would need to replace to disable ANY tag is the first "<"

use &lt ( add a ";")

If i str_ireplace < to &lt/; without the slash it just shows all the code, it does not filter it out.

Yep, but it does prevent it executing.
So for things that may be difficult to set a regular expression for removal (due to the "greedy" nature of reg exp) is protects your system.
And if anyone is trying to inject scripts it hardly matters if their pages do look "broken".

I am lost, if i put the &lt/; tag they will not be able to make a profile because all their code will be shown on the page i want members to be able to have their tables or whatever they choose show up on their profiles as tables not code.

I am trying to figure out everything i need to strip out of the codes so no one can use xss on my site, and i am just not understanding because their are so many thing people can do.

If no one can give me a thorough answer i will take any links you have on this subject because i can not really find anything myself.

You remove the leading "<" from code YOU CONSIDER TO BE DANGEROUS!!!!!

I understand that part but how am i supposed to know if it is a good code or a bad code? If a person was to put in say 3 different codes if i replaced one "<" i would replace them all, and they all would show up on the profile as code.

You don't know and nobody can tell you ALL the possible code variations that can be employed, so you do not allow <iframe or <script element open tags to be "live" on the pages, as they are the two elements that can be easily used for malicious code.