PhpRiot
News Archive
PhpRiot Newsletter
Your Email Address:

More information

Blog fight round two

Note: This article was originally published at Planet PHP on 22 March 2011.
Planet PHP

Thanks PAdraic

So I hope you've enjoyed our blog fight between me and PAdraic Brady. I sense a lack of a sense if humour in his last post his blanket claims that regex html validation sucks were obviously unjustified. Anyway I was waiting for a cool XSS hole in htmlReg from him, it never came he did raise a valid point about a aoclickjackinga threat so I decided to update htmlReg/CSSReg to enable a site to disable all CSS positioning. Thanks very much PAdraic for reporting this issue!

Disable Positioning

htmlReg and CSSReg now have the option aodisablePositioninga this will stop you from be able to define elements which overlap each other, which is useful in a validation scenario not a iframe sandbox scenario (which htmlReg was originally intended). It's quite easy to use:-


htmlReg.disablePositioning = true;
alert(htmlReg.parse("")); //

Validate html

I didn't stop there while I had my IDE open, I decided to add a validate html option, using the new aoDOMParsera feature. As I looked deeper into the feature I wish I hadn't bothered when a invalid XML markup is encountered IE throws exception. FF, Op, Webkit doesn't. Webkit transforms XML and adds a parsing error node/FF entitiy encodes. Ugh. So anyway hopefully I made a cross browser solution which will prevent any invalid html markup. Anyway this is what I came up with that should work on newer browsers and older versions of IE:

StringtoXML = function (text){ try { if(window.DOMParser) { var parser=new DOMParser(); var doc=parser.parseFromString(text,'text/xml'); var xml = (new XMLSerializer()).serializeToString(doc); xml = xml.replace(/^\s*/,''); if(/]+/.test(xml)) { return 'Invalid html markup'; } else { return xml; } } else if(window.ActiveXObject){ var doc=new ActiveXObject('Microsoft.XMLDOM'); doc.async='false'; doc.loadXML(text); if(!doc.xml) { throw {}; } return doc.xml; } else { return text; } } catch(e) { return 'Invalid html markup'; } }

Thanks Paul Stone

An excellent bug was found by Paul Stone as a result of this blog fight In Firefox RC4 & latest Chrome he noticed that htmlReg was allowing invalid CSS markup, as he quite rightly pointed out htmlReg was checking if cssText contained something in RC4 but it wasn't passing the check as a result the invalid CSS was being allowed. The fix for this was quite simple and involved removing the style attribute if the cssText check wasn't passed. This didn't create a security breach as the invalid CSS was just that invalid and other browsers such as IE didn't allow this markup to be executed but it was a cool bug since htmlReg should not allow this invalid string.

The vector looked like this:-

test

The fix was simply to do this:-

if(element.getAttribute("style") !== '' && element.getAttribute("style") !== null && element.style.cssText !== '') {
...
} else {
//drop style attribute if it exists
element.style.cssText = null;
element.setAttribute("style","");
element.removeAttribute('style');
}

htmlReg rocky is waiting

htmlReg is in the ring waiting for you, please get in your corner and try your luck. I doubt you can win