tags:

views:

166

answers:

1
+1  Q: 

Using HTML Purifier to stop links to own site

I have used HTML purifier to weed out any suspect stuff coming in from my public facing WYSIWYG editor. The incoming HTML is also displayed in the public portion of the website.

I have allowed links, and I also automatically linkify URLs in plain text (using the purifier).

Is there a way to allow external links, but ban links to the same domain? E.g my domain is www.example.com

http://www.google.com will be linked.

http://www.example.com/logout/ will not be linked.

I am looking at minimizing any interference from malicious users. Should I just make my logout link a form action with a POST key/value pair to stop this from happening?

Thanks

+3  A: 

Your login/out form should ALWAYS be POST-only.

Don't worry about a verification value, but this is a pretty important security issue - any transactions which change the state of the webserver should be POST requests. You should NEVER allow http://example.com/object?action=delete, or any variant thereof. PHP encourages bad practice in this matter, but you should ALWAYS use one or the other, and NEVER allow both.

If your users can write forms into your WYSIWYG editor, you've got far bigger problems than this.

To answer your original question, to disable internal links, use URI.HostBlacklist and be sure to set URI.MakeAbsolute:

http://htmlpurifier.org/live/configdoc/plain.html#URI.HostBlacklist

Paul McMillan  2009-11-09 05:42:50
All URLs that perform an action other than just displaying data should always be POST-only.
Jani Hartikainen  2009-11-09 05:45:54
+1 Thanks for the answer. I'd still be interested however to know if I could stop people linking to my domain from within HTML purifier.
alex  2009-11-09 05:46:09
Edited to add the answer to that question.
Paul McMillan  2009-11-09 05:49:33
Ah, your edit is perfect! Don't worry, I have white-listed only what the WYSIWYG editor can insert.
alex  2009-11-09 05:49:35
Glad to be of assistance. Still... make a habit of separating POST and GET and avoid using them interchangeably. Your security will be better for it, and you'll bypass many security holes without knowing it.
Paul McMillan  2009-11-09 05:51:40

related questions

Autosizing Textarea
Regular expression for parsing links from a webpage?
What are good tools for creating compiled HTML help files (.chm)?
Looking for WYSIWYG HTML editor
Any reason not to start using the HTML 5 doctype?
HTML comments break down
HTML Comments Markup
Setting a div's height in HTML with CSS
Wrapping lists into columns
Is a "Confirm Email" input good practice when user changes email address?
<XMP> Tag
HTML version choice
Options for HTML scraping?
How do you disable browser Autocomplete on web form field / input tag?
How do I make a checkbox toggle from clicking on the text label as well?
Html CSS Editor
Wordpress theme development offline tools
How do I give my web sites an icon for iPhone?
In HTML, how to word-break on a dash?
Detecting font in JavaScript
How do you test layout design across multiple browsers/OSs?
How do I print an HTML document from a web service?
Multiple submit buttons on a HTML form
How can I determine a web user's time zone?
Why doesn't the percentage width child in absolutely positioned parent work in IE7?