views:

166

answers:

1

I have used HTML purifier to weed out any suspect stuff coming in from my public facing WYSIWYG editor. The incoming HTML is also displayed in the public portion of the website.

I have allowed links, and I also automatically linkify URLs in plain text (using the purifier).

Is there a way to allow external links, but ban links to the same domain? E.g my domain is www.example.com

http://www.google.com will be linked.

http://www.example.com/logout/ will not be linked.

I am looking at minimizing any interference from malicious users. Should I just make my logout link a form action with a POST key/value pair to stop this from happening?

Thanks

+3  A: 

Your login/out form should ALWAYS be POST-only.

Don't worry about a verification value, but this is a pretty important security issue - any transactions which change the state of the webserver should be POST requests. You should NEVER allow http://example.com/object?action=delete, or any variant thereof. PHP encourages bad practice in this matter, but you should ALWAYS use one or the other, and NEVER allow both.

If your users can write forms into your WYSIWYG editor, you've got far bigger problems than this.

To answer your original question, to disable internal links, use URI.HostBlacklist and be sure to set URI.MakeAbsolute:

http://htmlpurifier.org/live/configdoc/plain.html#URI.HostBlacklist

Paul McMillan
All URLs that perform an action other than just displaying data should always be POST-only.
Jani Hartikainen
+1 Thanks for the answer. I'd still be interested however to know if I could stop people linking to my domain from within HTML purifier.
alex
Edited to add the answer to that question.
Paul McMillan
Ah, your edit is perfect! Don't worry, I have white-listed only what the WYSIWYG editor can insert.
alex
Glad to be of assistance. Still... make a habit of separating POST and GET and avoid using them interchangeably. Your security will be better for it, and you'll bypass many security holes without knowing it.
Paul McMillan