Anyone have a config that allows form elements?

I need my developers to be able to pass entire (credit card) information collecting documents to a hardened, protected PCI compliant payment server. Since the HTML that will be displayed to the user's browser is trusted, but comes from a less hardened machine, I'd like to cleans it with HTMLPurifier. Ideally, I'd be able to pass an entire document with forms, but failing that, it would be fine if I could just allow checkbox, text and select elements. I could create a generic form on the secure side.

I saw a document somewhere on adding tags, but it was pretty complex. Is there a config out there that will take form elements?

By the way, HTMLPurifier is awesome, but it seems to me that it's scope is narrow - it seems to assume random user posts to an HTML forum. My case illustrates that there are broader uses.

Thanks,

Tobiah

There is a implementation of forms for %HTML.Trusted, you can probably selectively enable it for your use-case. However, I don't think allowing forms is very secure, since it allows for very bad phishing attacks.

How would I enable it?

The forms would only be allowed to have an emtpy action; they always submit to themselves. How else would someone phish? Also, if I could just enable form elements, I would be happy providing the form myself.

Thanks,

Tobiah

The forms would only be allowed to have an emtpy action; they always submit to themselves.

Not by default: you'd have to code that.

How would I enable it?

Probably the easiest thing to do is to copy-paste the definitions from HTMLPurifier/HTMLModule/Forms.php and then tweaking them as appropriate. Note that these definitions assume trusted users, so please please please check all of the fields you allow carefully.

You say above "Probably the easiest thing to do is to copy-paste the definitions from HTMLPurifier/HTMLModule/Forms.php"

Where would we copy and paste to?

Also, is there an easier way to enable forms rather than having to add a huge block of extra code that you already have written (i.e. include_once("HTMLPurifier/HTMLModule/Forms.php"))? Rather than switch to "Trusted" mode, I'd just like to add Forms in addition to HTML Purifier's default set of acceptable elements and attributes.

Thanks.

While following the instructions here: http://htmlpurifier.org/docs/enduser-customize.html (so, essentially, where you configure HTML Purifier.)

The problem with using Forms as it stands is that it is not actually XSS safe. HTML Purifier goes out of its way to make doing unsafe things hard.

From reading one of your previous posts, I was under the impression that HTML Forms are XSS safe, but not Phishing safe. Phishing is not as much a concern for me, since we warn our user's via javascript popup on form submit.

I'm making a stronger claim. I haven't looked closely at all of the form attributes to see if there wouldn't be any really subtle XSS vulnerabilities. Proceed at your own risk.

I'm also running into an issue getting htmlpurifier to allow forms. My first question is how to I enable logging or debug output? I'd love to see if I can get any additional information from the library to help me debug my issue.

As far as trying to get forms enabled, I set HTML.Trusted to true and my form is stripped out. I've tried adding the 'Forms' module to HTML.AllowedModules, I've copied and pasted the code from Forms.php into my config and even manually tried enabling the forms module by calling HTMLModuleManager->addModule. Since all of those failed (including setting trusted) I figure there is something else I'm not doing correctly. (However when setting Trusted to true script tags are getting through so the setting is being set correctly)

Can you paste your configuration? Better logging debugging output is something that is on the TODO, but doesn't really exist right now. Usually, though, when it's "not working", it's either because you set %HTML.Allowed and forgot to specify everything necessary.

I've gone through a couple of iterations. The first thing I tried was adding 'form' and 'input' to HTML.Allowed. When that didn't work I removed the call to set HTML.Allowed. I've also tried it with:

<ul> <li>HTML.Trusted set. I don't want to do that since the html isn't trusted</li> <li>Adding 'Forms' as a core module</li> <li>Accessing the HTMLModuleManager to add the Forms module</li> <li>Pasting the Forms.php code into my custom def</li> </ul>

<pre><![CDATA[ $config = HTMLPurifier_Config::createDefault(); // This line is commented out in all of the configs that I tried // $config->set('HTML.Allowed', 'p,b,i,br,a[href],table[summary],th[abbr],td[abbr],tr,*[class],h1,h2,h3,h4,h5,form[action|method],input[alt]');

$config->set('HTML.DefinitionID', 'moai-dashboard-plugins'); $config->set('HTML.DefinitionRev', 1); $config->set('URI.DisableExternalResources', true); $config->set('Cache.DefinitionImpl', null); // remove this later!

// I've tried with each of these individually uncommented. //$config->set('HTML.CoreModules', array('Forms' => true)); //$config->set('HTML.Trusted', true);

$config->set('HTML.DefinitionRev', 1); if ($def = $config->maybeGetRawHTMLDefinition()) { // I've pasted the code from HTMLModule/Forms.php in here and that didn't work.

// I've also tried this: (I forget the exact syntax I used at the time to access the manager) $def->manager->addModule('Forms'); } ]]></pre>

This works. Perhaps your test vector was wrong?

<?php
require_once 'library/HTMLPurifier.auto.php';
$config = HTMLPurifier_Config::createDefault();
$config->set('HTML.Trusted', true);
$purifier = new HTMLPurifier($config);
echo $purifier->purify('<form action=""><div>Contents</div></form>');

Interestingly with this input the form is removed:

<pre><![CDATA[ <form action="http://localhost:8787/plugin_proxy.php" method="POST" enctype="multipart/form-data"> Message: <input type="text" name="msg"><br> <input type="file" name="file"><br> <input type="submit"> <input type="hidden" name="x-moai-guid" value="6047E3E1-1ADE-401C-A5D1-7D0F0AF487C0"> <input type="hidden" name="x-moai-path" value="addmessage"> </form> ]]></pre>

But it is kept in with this:

<pre><![CDATA[ <form action="http://localhost:8787/plugin_proxy.php" method="POST" enctype="multipart/form-data"> <div> Message: <input type="text" name="msg"><br> <input type="file" name="file"><br> <input type="submit"> <input type="hidden" name="x-moai-guid" value="6047E3E1-1ADE-401C-A5D1-7D0F0AF487C0"> <input type="hidden" name="x-moai-path" value="addmessage"> </div> </form> ]]></pre>

Also I'm still trying to figure out how to enable just the forms module. I don't want to use HTML.Trusted since I don't want scripts but adding it to HTML.AllowedModules doesn't seem to do anything.

Ah. This is because, apparently, a bare input element is not valid in forms for the strict doctype (but is OK for the transitional doctype), and the forms module is currently coded up for strict. This should get fixed...

BTW, %Core.CollectErrors might be a partial solution to the debugging info you would have been looking for.

OK, fixed in master.

So how would you modify this code to work without using HTML.Trusted? How would you just enable the Forms module? Like larubbio, I need to accept form tags but not script tags.

<?php
require_once 'library/HTMLPurifier.auto.php';
$config = HTMLPurifier_Config::createDefault();
$purifier = new HTMLPurifier($config);
echo $purifier->purify('<form action=""><div>Contents</div></form>');
?>