What changed as regards to allowed chars in [URL]+[IMG]-Tags

The 2.0.x discussion forum has been locked; this will remain read-only. The 3.0.x discussion forum has been renamed phpBB Discussion.
Locked
User avatar
mad-manne
Registered User
Posts: 776
Joined: Thu May 29, 2003 6:59 pm
Location: Marl, Germany

What changed as regards to allowed chars in [URL]+[IMG]-Tags

Post by mad-manne » Mon Sep 19, 2005 9:56 am

Hi there,
I have done some searching, but couldn't find the full answer.
Let me first start by telling you that I have been away from phpBB.com for a couple of months, so I'm not totally up-to-date :roll:

I have lately realized, that some of the topics I have running concerning my MODS do no longer correctly parse some of the URL and IMG-tags I am using to link to my screenshots and downloads.
Most apparently characters like ! and ( or ) contained in URL or IMG tags don't get parsed anymore!

I have read topics, where this issue has been dealt with, and I am aware, that parsing had to be made stricter due to security-issues. I also found some links to RFC about allowed chars in URLs, but I remain unsure, what exactly is allowed within phpBB's BB-Code Implementation.
You could say "Just study the regex, that handles this ...", but regex is still spanish to me :oops:

So before I start and edit all of my posts, in order to "reactivate" my links and IMG-Tags, I just wanted to make sure I'd now the whole story :P

Looking forward to your answers,
Manfred.
Try not. Do or do not. There is no try. (YODA)

User avatar
pentapenguin
Former Team Member
Posts: 11030
Joined: Thu Jul 01, 2004 4:15 am
Location: GA, USA
Contact:

Post by pentapenguin » Mon Sep 19, 2005 2:28 pm

I'm not the best in regexp either but I *think* the only characters allowed in URLs are:
A-Z
a-z
0-9
?
&
_
-
/ or \
%
~
.
=
;
:

Hope this helps. :)
Support Resources: Support Request Template
My Sites: Download my phpBB MODs | pentapenguin.com
If you need professional assistance with your board, please contact me for my reasonable rates.

User avatar
mad-manne
Registered User
Posts: 776
Joined: Thu May 29, 2003 6:59 pm
Location: Marl, Germany

Post by mad-manne » Mon Sep 19, 2005 2:47 pm

Although you might be right ... the point is, that I'm trying to figure out, what will still be allowed within the according BBCode-Tags for phpBB.

I used the chars stated above, and it worked at least until phpBB 2.0.13.
On the other hand, I might just try and totally avoid anything than the underscore and dash?!

Thanks anyway,
Manfred.
Try not. Do or do not. There is no try. (YODA)

User avatar
pentapenguin
Former Team Member
Posts: 11030
Joined: Thu Jul 01, 2004 4:15 am
Location: GA, USA
Contact:

Post by pentapenguin » Mon Sep 19, 2005 2:50 pm

The ones I posted are for the current version. ;)

And I can't recall off the top of my head for : and ; but the rest are legal URL characters per the specifications so they should always work.

Oh and I forgot one in the list above.
+ should work too.
Support Resources: Support Request Template
My Sites: Download my phpBB MODs | pentapenguin.com
If you need professional assistance with your board, please contact me for my reasonable rates.

User avatar
mad-manne
Registered User
Posts: 776
Joined: Thu May 29, 2003 6:59 pm
Location: Marl, Germany

Post by mad-manne » Mon Sep 19, 2005 3:18 pm

Well thanks Pentapenguin for the info ...

One thing I still don't understand: Where the Exclamation Mark and brackets [ ! ( ) ]actually disabled for security-reasons or where they just taken out of the allowed chars, to match what the according RFC says, while other characters were actually removed to fix security-holes?!

Thanks anyway,
Manfred.
Try not. Do or do not. There is no try. (YODA)

AnthraX101
Security Consultant
Posts: 497
Joined: Sun Nov 14, 2004 8:05 pm
Contact:

Post by AnthraX101 » Mon Sep 19, 2005 3:43 pm

mad-manne wrote: Well thanks Pentapenguin for the info ...

One thing I still don't understand: Where the Exclamation Mark and brackets [ ! ( ) ]actually disabled for security-reasons or where they just taken out of the allowed chars, to match what the according RFC says, while other characters were actually removed to fix security-holes?!

Thanks anyway,
Manfred.


Strictly speaking those three characters should not cause a security issue, but they should be escaped in order to comply to the RFC spec.

AnthraX101

User avatar
-jm-
Former Team Member
Posts: 2024
Joined: Fri Jul 16, 2004 10:56 am
Location: Inside the mind of the machine
Contact:

Post by -jm- » Mon Sep 19, 2005 4:09 pm

yes, + works :)

They were parsed all until 2.0.16 .
Then some of them - * and () IIRC - were used to steal cookies to IE users (XSS vulnerability) and then from 2.0.17 [url] and [img] with those characters are not parsed anymore.
-jm- (a.k.a. juanm) - *NO* private support
Hacked?
With so many beautiful colors in the world it’s a shame to make everything black and white - Dennis R. Little
my links: tips&stuff :: stuff only

AnthraX101
Security Consultant
Posts: 497
Joined: Sun Nov 14, 2004 8:05 pm
Contact:

Post by AnthraX101 » Mon Sep 19, 2005 4:23 pm

-jm- wrote: yes, + works :)

They were parsed all until 2.0.16 .
Then some of them - * and () IIRC - were used to steal cookies to IE users (XSS vulnerability) and then from 2.0.17 [url] and [img] with those characters are not parsed anymore.


Sorta, but the characters that caused it were [, ], and '. The major change was moving from a blacklist of known bad characters to a whitelist of known good ones. Unfortunately, many servers do not properly format their URLs and use reserved characters.

EDIT: The full listing of characters is as follows:

Code: Select all

A-Z
a-z
_
0-9
$
%
&
~
/
.
-
;
:
=
,
?
@
[
]
AnthraX101
Last edited by AnthraX101 on Mon Sep 19, 2005 4:32 pm, edited 1 time in total.

User avatar
mad-manne
Registered User
Posts: 776
Joined: Thu May 29, 2003 6:59 pm
Location: Marl, Germany

Post by mad-manne » Mon Sep 19, 2005 4:29 pm

-jm- wrote: They were parsed all until 2.0.16 .
Then some of them - * and () IIRC - were used to steal cookies to IE users (XSS vulnerability) and then from 2.0.17 [url] and [img] with those characters are not parsed anymore.
Now that's what I wanted to hear :mrgreen:
Well then .. I have a couple of posts to edit, to make all of my links work again :oops:

Thanks everyone for the info,
Manfred.
Try not. Do or do not. There is no try. (YODA)

User avatar
mad-manne
Registered User
Posts: 776
Joined: Thu May 29, 2003 6:59 pm
Location: Marl, Germany

Post by mad-manne » Mon Sep 19, 2005 4:39 pm

AnthraX101 wrote: EDIT: The full listing of characters is as follows:

Code: Select all

A-Z
a-z
... / ...
[
]
So would that mean I _could_ use the square-brackets [ ] instead of "normal" ones or will I have to fear, that these might also be forbidden someday?

/still a bit unsure
Manfred
Try not. Do or do not. There is no try. (YODA)

AnthraX101
Security Consultant
Posts: 497
Joined: Sun Nov 14, 2004 8:05 pm
Contact:

Post by AnthraX101 » Mon Sep 19, 2005 4:48 pm

mad-manne wrote:
AnthraX101 wrote:EDIT: The full listing of characters is as follows:

Code: Select all

A-Z
a-z
... / ...
[
]
So would that mean I _could_ use the square-brackets [ ] instead of "normal" ones or will I have to fear, that these might also be forbidden someday?

/still a bit unsure
Manfred


As of right now, you can use square brackets. I would not advise it however, as they may get removed in a future version as they can cause some problems. The easiest way to be sure it doesn't get changed in the future is to simply encode all characters but a-z, A-Z, 0-9, _, and /.

AnthraX101

Locked

Return to “2.0.x Discussion”

Who is online

Users browsing this forum: No registered users and 8 guests