[pmwiki-users] cookbook security advide needed

Peter & Melodye Bowers pbowers at pobox.com
Tue May 6 14:11:14 CDT 2008

> What is the best way to prevent submitting malicious code like 
> javascript. Is there a standard or  common used filter function for 
> that.  The filter should accept the css syntax bot nothing 
> more. Example:
> #123456
> 1px solid red
> 0.8em
> url(http://domain.net/img.jpg)

It's kind of "brute force" and lacking elegance, but something like this
might be a start in the right direction:

$ValidCSSPatterns = array('/#[0-9]+/', '/[0-9]+px\b/', '/\bsolid\b/',
'/\bred\b/', '/\b[0-9.]+em\b/', '/\burl\(http:[a-zA-Z.\/0-9-]+\)/');
$Result = trim(preg_replace($ValidCSSPatterns, '', $TextFromMarkup))
If ($Result) // if anything is left after stripping all valid CSS
   echo "ERROR - this CSS was not valid: $Result<br>\n";
Else {
   (process the $TextFromMarkup, feeling fairly confident that it's valid

Obviously the difficulty is to get a fairly complete "definition" of CSS in
an array of regexes.  Sounds kind of daunting...  On the other hand you
probably (?) don't need *all* of CSS and presumably could handle 80% of use
by getting the 20% of most common syntactical terms...?  I'm really out of
my element with CSS so I can't say, but this is *a* way that the problem
could be approached.



More information about the pmwiki-users mailing list