tags:

views:

218

answers:

7
+4  Q: 

Loading executable code through <img> or <a> tags?

I'm working on an app that would allow people to enter arbitrary URL's that would be included in <a href="ARBITRARY URL"> and <img src="ARBITRARY URL" /> tags.

What type of security risks am I looking at?

The app is coded in PHP, and the only security countermeasure I currently perform is using PHP's htmlentities() function against the input URL before sending it as HTML. I'm also checking to make sure that the URL text starts with either http:// or https:// but I don't know if that's accomplishing anything, security wise.

What else should I be doing to ensure the security of my end users?

+2  A: 

You would like to read about XSS (Cross site scripting) and XSRF (Cross site request forgery)

EDIT: As pointed out by ryeguy, you can pretty much copy and paste any of the examples in XSS (Cross Site Scripting) Cheat Sheet and seek the best way to prevent from them accordingly.

Alex Bagnolini  2009-11-09 21:54:05
+2  A: 

You should sanitize at all times, img tags are vulnerable to cross-site-scripting

pablasso  2009-11-09 21:57:16
+3  A: 

Take a look at the XSS Checklist.

ryeguy  2009-11-09 21:57:22
Thanks, I'm using the CodeIgniter framework, which has an xss_clean() function. I tried about half of the examples on that site after passing them through xss_clean() and it replaced all the vulnerable text with the string "[removed]".
Dolph  2009-11-09 22:15:43
+1  A: 

In addition, it is possible to insert whole images into URLs using inline data in newer browsers. It might be possible to inject something through there, however that would require a gaping browser-side security hole and I would not know how to sanitize something like that.

Maybe you just want to restrict access to certain domains, or check whether an image physically exists? That might already help a lot.

Pekka  2009-11-09 22:01:42
+1  A: 

CSRF:

<img src="http://example.org/accounts/123/delete" />
orip  2009-11-09 22:02:40
That's awesome.
Dolph  2009-11-09 22:11:53
+1  A: 

It is possible to construct an image that is also a valid javascript file, and get a browser to execute it. See http://www.thinkfu.com/blog/?p=15

SVG images (mime-type image/svg+xml) can contain javascript. See http://www.w3.org/TR/SVG/interact.html

Mike Samuel  2009-11-10 02:29:01
... yikes, this is more along the lines of what I was worried about. Thanks.
Dolph  2009-11-10 15:12:45
A: 

In addition to the great answers so far, the xss cheat sheet doesn't really account for event attributes like onmouseover onhover etc. These are all, by design, to allow someone to run some javascript when something happens.

Collin  2009-11-11 19:05:32

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases