Regex XSS-ressistent?
#1
Question 
Hello!
I am migrating a Forum, there is no converting-Tool aviable, so I will have to create my own.

I try to add every BBCode, which works in the old forum, but not in the new one. One of the is
[user]username[/user]

My Regex looks like this:
\[user\]([^"&]+?)\[/user\]
and it will be replaced with:
<a href="../memberlist.php?username=$1">$1</a>

What I am wordering about is [^"&]. The " is to make sure, that it doesn't break out of the html-URL. The & is to make sure, it doesn't add GET-Parameters. Is there something else, I need to disallow to be secure? Is memberlist.php built to ressist XSS-Attacks by Username? Is there a Regex, an usename has to pass on registration?

Thanks in advance ...
Thomas
Reply
#2
You should use htmlspecialchars_uni function on the username if you are using it in an url. It is good practice because then you don't have to worry about the destination page properly sanitizing it.
Reply
#3
Hello!
Thanks for answering!

The problem is: I am using MyCode, so I just have Regex aviable, no htmlspecialchars.

Thomas131
Reply
#4
You can hook to parse_message to be able to use PHP code against the message. You will pass the variable $message by reference. http://docs.mybb.com/1.8/development/plugins/hooks/ If you wish to see an example, look at the source code for Spoiler mycode.
Reply
#5
Sorry, I just saw the answer.
Thank you!

Thomas131
Reply
#6
This user has been denied support. This user has been denied support.
Isn't it already htmlspecialchar'd when your mycode gets at it? (assuming that html disabled)

It's not something you should have to worry about in a MyCode, but then I'm not sure.
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)