Welcome! » Log In » Create A New Profile

IMG SRC

Posted by mk 
mk
IMG SRC
February 12, 2012 04:03PM

Hello, i have problem with Htmlpurifier settings. If my input is for example (its URL for logging out):

<img src="http://www.example.com/app/public/user/login/logout">

Htmlpurifier is not able to purify this input. Only add "ALT" but the code is processed and user is logged out. Is any possibility to handle this?

My htmlpurifier settings is:

require_once('htmlpurifier/library/HTMLPurifier.auto.php');
    $config = HTMLPurifier_Config::createDefault();
    $config->set('Core.Encoding', 'UTF-8');
    $config->set('HTML.Doctype', 'HTML 4.01 Transitional');
    $config->set('Core.RemoveInvalidImg',true);
    $purifier = new HTMLPurifier($config);

$clean = $purifier->purify($dirty);

Thanks for any advice

Re: IMG SRC
February 12, 2012 08:58PM

Don't have your logout page be triggered by a GET request. That's silly, and no one does it anymore.

Re: IMG SRC
February 17, 2012 04:31AM

Htmlpurifier is not able to purify this input. Only add "ALT" but the code is processed and user is logged out. Is any possibility to handle this?

There's no (sane) way to handle this, because HTML Purifier doesn't know what a link may or may not cause. HTML Purifier is not your problem here, though, you generally have a CSRF vulnerability you need to take care of - so what you're looking for are solutions to prevent cross-site request forgery, e.g. securing your logout with a CSRF token.

If all you want to do is prevent a website to have the word 'logout' in them, you can write an attribute transformation that strips 'href' if its value contains 'logout'.

(Edit: Fixed formatting after an HTML escaping issue ravaged the forum.)

Edited 1 time(s). Last edit at 07/30/2012 01:57PM by pinkgothic.

Pankaj Garg
Re: IMG SRC
February 06, 2013 07:41AM

Hi,

Below is the code for Image,

<img src="cid:ii_13caf061fab44f94" alt="Inline image 1">

HTML Purifier removes this image's src, I have tried HTML.Allowed as img[alt|src] and also set Core.RemoveInvalidImg to false.

but still not receiving the src as it is.

Please assist. Thanks in anticipation.

Regards Pankaj Garg

Re: IMG SRC
February 06, 2013 09:14AM

Hello, i have problem with Htmlpurifier settings. If my input is for example (its URL for logging out):

<img src="http://www.example.com/app/public/user/login/logout">

Htmlpurifier is not able to purify this input. Only add "ALT" but the code is processed and user is logged out. Is any possibility to handle this?

My htmlpurifier settings is:

require_once('htmlpurifier/library/HTMLPurifier.auto.php');
    $config = HTMLPurifier_Config::createDefault();
    $config->set('Core.Encoding', 'UTF-8');
    $config->set('HTML.Doctype', 'HTML 4.01 Transitional');
    $config->set('Core.RemoveInvalidImg',true);
    $purifier = new HTMLPurifier($config);

$clean = $purifier->purify($dirty);

Thanks for any advice

I'm pretty sure that the link in the img src is not a valid image file. it should be pointing to a gif, jpg, png file etc. which is why purifier is removing it.

ImpressCMS: Make A Lasting Impression

Re: IMG SRC
February 06, 2013 04:54PM

@Pankaj Garg: cid is not a supported URL 'schema'. You should use the HTML Purifier after cid references have been changed to URL references. :) If that's not possible, you may have to look into providing a URL schema handling class. (Note: You can use the HTML Purifier to pretransform the img-src to change cid into img-src, I've done this before in a project I used to work in. I think Edward may even have some code from me on that subject... dunno if he's still considering making it a feature, though. :) )

@vaughan: The reported problem is that HTML Purifier isn't removing it, though. And that is its expected/designed behaviour, too - it can't guess what a link is going to do and if the HTML is going to exploit an issue on the src-named server, it can only prevent exploits it knows about (those that would strike client-side, basically, or those that would strike the Purifier itself (e.g. by trying to get the parser to tie itself into a knot), not those of external applications... and this is a vulnerability in the external application, it's a CSRF issue).

Re: IMG SRC
February 06, 2013 06:29PM

Whooops it looks like I never got around to actually reviewing the CID patch (two years late, rawr!) -_- Probably should go look at that now...

HTML Purifier, Standards-Compliant HTML Filtering

Re: IMG SRC
February 07, 2013 06:02PM

Whooops it looks like I never got around to actually reviewing the CID patch (two years late, rawr!) -_- Probably should go look at that now...

It's been that long? ...time flies when you're having fun. :D I hope it's usable. If not, let me know, I'd be happy to tweak it so it fits.

Re: IMG SRC
February 17, 2013 07:00PM

OK, it looks like there are some changes that need to be made:

  • It is special-cased for CSS URI tags, but there is not really a good reason why normal links couldn't also have CID handling. So the 'CID-ified' URI handler should be a decorator around the normal URI handler. Which leads to the next point:
  • CID should be given a URIScheme. With this, the decorator can parse the URI first, and then check if it's a CID.
  • Similarly, it probably isn't necessary to have an attr transform on top of everything else; the AttrDef can handle the translation itself.

I think those are the biggies.

HTML Purifier, Standards-Compliant HTML Filtering

MGH
Re: IMG SRC
October 06, 2013 04:17AM

hi

$config = \HTMLPurifier_Config::createDefault();
$config->set('Core.RemoveInvalidImg', 1);
$purifier = new \HTMLPurifier($config);
echo $purifier->purify("<img src='http://ha.ckers.org/xss.js' />"); //echo <img src="http://ha.ckers.org/xss.js" alt="xss.js" />
$config = \HTMLPurifier_Config::createDefault();
$config->set('Core.RemoveInvalidImg', 0);
$purifier = new \HTMLPurifier($config);
echo $purifier->purify("<img src='http://ha.ckers.org/xss.js' />"); //echo <img src="http://ha.ckers.org/xss.js" alt="xss.js" />

why can't purifier clear that? do exists another way that we can purify that?

Re: IMG SRC
October 06, 2013 08:50AM

hi

$config = \HTMLPurifier_Config::createDefault();
$config->set('Core.RemoveInvalidImg', 1);
$purifier = new \HTMLPurifier($config);
echo $purifier->purify("<img src='http://ha.ckers.org/xss.js' />"); //echo <img src="http://ha.ckers.org/xss.js" alt="xss.js" />
$config = \HTMLPurifier_Config::createDefault();
$config->set('Core.RemoveInvalidImg', 0);
$purifier = new \HTMLPurifier($config);
echo $purifier->purify("<img src='http://ha.ckers.org/xss.js' />"); //echo <img src="http://ha.ckers.org/xss.js" alt="xss.js" />

why can't purifier clear that? do exists another way that we can purify that?

It's been said before, but basically, HTML Purifier doesn't remove that link because that link is perfectly valid. http://ha.ckers.org/xss.js is an well-formed http-link. That it leads to something potentially malicious is not something that HTML Purifier can know - it would need to download the resource and analyse that resource, and given that some attacks expressly want you to request a link (e.g for cross-site request forgery - see some of the posts above), that would unfortunately be a terrible idea.

(@Ambush Commander: My life's still kind of crazy at the moment, but I haven't forgotten about your points. I still hope to get to them sooner rather than later.)

Re: IMG SRC
October 06, 2013 01:38PM

No problem :)

HTML Purifier, Standards-Compliant HTML Filtering

kortez
Re: IMG SRC
October 14, 2013 01:25PM

My problem is similar, but at first this is my configuration:

$config = HTMLPurifier_Config::createDefault();
$config->set('HTML.Doctype', 'HTML 4.01 Strict');
$config->set('Core.RemoveInvalidImg',true);
$purifier = new HTMLPurifier($config);

and now when Im using WYSWIG editor, and put there an image like

<img alt="" src="data:image/jpeg;base64,/9j/4AAQSkZJRgABAQEAyADIAAD/4RCIRXhpZgAATU0AKgAAAAgAA4dpAAQAAAABAAAIPpyeAAEAAAAiAAAQXuocAAcAAAgMAAAAMgAAAAAc6gAAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.... "/> 

the HTMLPurifier cut the image from HTML. What I can do with this?

Re: IMG SRC
October 14, 2013 01:55PM

You gotta enable data URIs, see %URI.AllowedSchemes (you need to add data to the list).

HTML Purifier, Standards-Compliant HTML Filtering

kortez
Re: IMG SRC
October 14, 2013 02:15PM

Thx, it work.

zozlak
IMG SRC
October 25, 2013 04:29PM

HTML purifier allows

<img src="myImage.svg" alt="foo"/>

But if I encode the same image as a data URI

<img src="data:image/svg+xml;base64,ENCODED_IMAGE_GOES_HERE" alt="foo"/>

the img tag is removed.

What should I do to let it pass?

Re: IMG SRC
October 25, 2013 04:35PM

I think we don't understand how to deal with SVG cid's (it would require us to build in a proper SVG parser) so it's not allowed.

HTML Purifier, Standards-Compliant HTML Filtering

Author:
Your Email:

Subject:

HTML input is enabled. Make sure you escape all HTML and angled brackets with &lt; and &gt;.

Auto-paragraphing is enabled. Double newlines will be converted to paragraphs; for single newlines, use the pre tag.

Allowed tags: a, abbr, acronym, b, blockquote, caption, cite, code, dd, del, dfn, div, dl, dt, em, i, ins, kbd, li, ol, p, pre, s, strike, strong, sub, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, var.

For inputting literal code such as HTML and PHP for display, use CDATA tags to auto-escape your angled brackets, and pre to preserve newlines:

<pre><![CDATA[
Place code here
]]></pre>

Power users, you can hide this notice with:

.htmlpurifier-help {display:none;}

Message: