Smarty Forum Index Smarty
The discussions here are for Smarty, a template engine for the PHP programming language.

Cross-site scripting and Smarty (even in secure mode)

 
Post new topic   Reply to topic    Smarty Forum Index -> Add-ons
View previous topic :: View next topic  
Author Message
brettz9
Smarty Regular


Joined: 07 Jul 2006
Posts: 93

PostPosted: Wed Jul 12, 2006 4:50 pm    Post subject: Cross-site scripting and Smarty (even in secure mode) Reply with quote

I was wondering...

If you enable secure mode, and allow any old Joe to have a means of editing the templates and then allow them to be able to share their templated page with others over that server, is there anything native to Smarty to prevent them from adding let's say script tags and nasty code?
Back to top
View user's profile Send private message
DaKaLKa
Smarty Regular


Joined: 23 Apr 2006
Posts: 99
Location: Ketsch, Germany

PostPosted: Wed Jul 12, 2006 6:31 pm    Post subject: Reply with quote

Take a look at http://smarty.php.net/manual/en/variable.php.handling.php
with it you can configure what happens to "php"-Tags in smarty. If you disable php-tags like with SMARTY_PHP_REMOVE then the user can't do something nasty except manipulation variables which were assigned to smarty.
You can also look at http://smarty.php.net/manual/en/variable.security.settings.php, there you can find more security-Settings for smarty and i think, this should be enough for security or do you have an security-breaking-example when using those functions?
Hope that helps you!
Back to top
View user's profile Send private message
boots
Administrator


Joined: 16 Apr 2003
Posts: 5611
Location: Toronto, Canada

PostPosted: Wed Jul 12, 2006 7:01 pm    Post subject: Reply with quote

If you are talking about XSS attacks based on specially crafted HTML/CSS/JS techniques, then no, Smarty does nothing to prevent that. Security mode is meant to restrict access to server features -- but the idea is that even under secure mode, you must have a trusted relationship with your template users and/or your application must take its own steps to protect itself and its clients.
Back to top
View user's profile Send private message
brettz9
Smarty Regular


Joined: 07 Jul 2006
Posts: 93

PostPosted: Thu Jul 13, 2006 3:07 am    Post subject: Reply with quote

Thanks for the links DaKaLKa, though I should have been more clear. Yes, boots, that is what I was referring to.

It may be worth making the point you make in the security section of the documentation because use of the word "security" may give some coders a false sense of security.

For anybody coming across this thread looking for protection (XSS stands for cross-site scripting for those who don't know), the following I find quite helpful:

http://ha.ckers.org/xss.html
http://alistapart.com/articles/secureyourcode2 (esp. the solutions)
http://quickwired.com/kallahar/smallprojects/php_xss_filter_function.php (a function you can use to supposedly filter for all possible XSS--but without taking out harmless tags)

One other quite obvious issue is not to have or especially share any template code with templaters which displays any (normally hidden) links to unvalidated administrative functions (not a good idea anyways), assuming (falsely) that any admin flag verification will not be omitted (or reassigned if that is possible?) by the templater.
Back to top
View user's profile Send private message
brettz9
Smarty Regular


Joined: 07 Jul 2006
Posts: 93

PostPosted: Thu Jul 13, 2006 3:30 am    Post subject: Reply with quote

Since my interest is to allow CSS to users, I think your http://smarty.incutio.com/?page=SmartyDoc (the domain seems to be blocked in China for some reason--where I am now, though I got to it from a proxy) would be a big help potentially, allowing users to add (prefiltered) CSS to the template but having it processed into the head.

As far as I can tell though, your most comprehensive addition is singly missing the option to add style tags (unless to an imported url)? Is there some reason for this?

To my mind, the other head tags would have the least relevance to the average designer who'd work on the templates (though I see it could be convenient for admins not wanting to take the time to move the tags to the right place), whereas style would have a lot of relevance.

Mabye I'm missing something here...

thanks again,
Brett
Back to top
View user's profile Send private message
boots
Administrator


Joined: 16 Apr 2003
Posts: 5611
Location: Toronto, Canada

PostPosted: Thu Jul 13, 2006 3:54 am    Post subject: Reply with quote

Hi.

Just to maybe clarify the XSS / security issue: XSS goes far beyond a pure template engine's purvey. Indeed, Smarty can be (and is) used to generate things other than webpages/client (browser) based code. Smarty's security mode is only intended to help prevent template users from screwing with your server by injecting straight PHP code into the template. As you rightly point out, stopping XSS requires a much more comprehensive approach to designing your application and dealing with client generated responses.

As for SmartyDoc and <style> tags targeted for they <head>, they are possible using the {doc_raw} block -- but that simply dumps anything in the {doc_raw} block into the <head>.

Code:
{doc_raw}{literal}<style>
P { font-weight: bold; }
</style>{literal}{/doc_raw}


Of course, it can also dump JS code and anything else. {doc_raw} also supports a "target" attribute which can either be "body" or "head" with "head" being the default. I think I avoided adding script and style blocks in particular because they seem like the sort of thing that ought be in external sheets. I admit my thinking is a little bit changed on that since I first wrote the addon. One thing I was pondering is the idea of automatically stitching linked css/js files and {doc_raw} items into single files (one for JS, one for CSS) based on the current compile_id and cache_id -- or perhaps to allow rules determine how/when files are stitched. (The idea there is to improve client performance by limiting the requests made for a given call while still permitting some client caching by not just simply stuffing everything into <script> and <style> elements in the <head>.)

Another point is that my SmartyDocModule approach lets you build any sort of function or block plugin which is capable or targeting either the head or body and can coordinate other things automatically (such as one-time loading of required scripts, etc).

If you have comments regarding SmartyDoc, consider making them in its usual thread: http://www.phpinsider.com/smarty-forum/viewtopic.php?p=22977

I should make one note: the SmartyDoc code at the wiki is a little out-of-date compared to my current (private and unreleased) code. I've been hoping to update my various public code projects but I haven't had enough time to get to it.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Smarty Forum Index -> Add-ons All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2005 phpBB Group
Protected by Anti-Spam ACP