In my CMS application, administration users can add HTML content via a WYSIWYG editor that gets filtered by HTMLPurifier. I am now wanting to add a message board functionality. I am planning on using the Zend StripTags Filter without a whitelist to remove all HTML, and then provide for rich markup by using Zend's BBCode or Textile parsers.
These are my questions:
- Can XSS make it through
StripTags
if I have no whitelist? - Does adding BBCode or Textile as an output parser reintroduce the possibility of XSS?
After reading a post about Markdown here on SO, and another article linked in an answer to that post, it appears that reintroducing XSS into a document is not only possible, but trivial. To be secure, I will need to run content through HTMLPurifier as the final step in the output filter chain. Because I am concerned with the performance of HTMLPurifier as an output filter, I am looking into using Wibble instead.
This still leaves the first question unanswered, but in my case, that step will be unnecessary.
I discovered when trying to use them, that Zend's BBCode and Textile are horribly buggy. I instead used PHP Markdown. Also, Wibble doesn't seem like it's production ready yet.
I used two columns in my database:
content
andhtml
. Thecontent
column holds the user-submitted text. When saving the record, I convertcontent
to HTML with PHP Markdown, pass it through HTMLPurifier and then save that value to thehtml
column. I am not converting will every view that way.Implementation Details
I put PHP Markdown here:
library/markdown.php
. In my active record model, usingZend_Db_Table_Row_Abstract
, I use the_insert()
and_update()
hooks to process the values before the record is saved:Here is my HTMLPurifier filter: