1 Topic by akambat3

  • akambat3
  • Member
  • Offline

Topic: Filtering scripts from conditional comments when 'comments'=>3

When I set safe=1 and comments=3, htmLawed will allow all comments which is correct.

However I believe even with comments=3 htmLawed should parse conditional comments for scripts... for example:

<!--[if gte IE 4]>
<SCRIPT>alert('XSS');</SCRIPT>
<![endif]-->

I know this is an edge case and for the most part, you can achieve this with comments=2, but I feel for completion, comments=3 should still filter for scripts.

Another possible approach could perhaps add another mode to comments, comments=4 where all comments are not parsed except for conditional comments which are discarded.

Just my 2 cents.

2 Reply by patnaik

  • patnaik
  • Administrator
  • Offline

Re: Filtering scripts from conditional comments when 'comments'=>3

Thanks for the point... will look into it.

3 Reply by patnaik

  • patnaik
  • Administrator
  • Offline

Re: Filtering scripts from conditional comments when 'comments'=>3

For the moment, I suggest code like that shown below to remove 'script' elements from conditional comments; I might add this functionality in the next release of htmLawed.

// htmLawed filtering code
$text = htmLawed($text, ...);

// Re-pass contents of comments through htmLawed
$text = preg_replace_callback('`<!--(.*?)-->`sm', 'comment_safe', $text);
function comment_safe($comment){
 return '<!--'. htmLawed($comment[1], array('safe'=>1, 'balance'=>0)). '-->';
}