I've recently edited some regexps on a phpbb2's bbcode.php and I'm wondering if it'd bring security issues (regarding script injection from href, mainly (if it's even possible)).
I edited only the [url], [url=] and my newly created [url=""] bbcode tags.
Their original regexps (dated to 2008) didn't allow "invalid" characters such as parentheses or white spaces in the url value (which are needed for some Wikipedia pages and file hosting services' URLs), so instead of encoding the URLs' special characters as suggested by others, I just edited the regex to allow alphanumeric characters in the protocols and basically any character in the domain/rest of the url address.
The new regexps inside phpbb2's bbencode_second_pass function ($text = post's text):
// matches a [url]xxxx://www.phpbb.com[/url] code..
$patterns[] = "#\[url\]([\w]+?://.*?)\[/url\]#is";
$replacements[] = $bbcode_tpl['url1'];
// [url]www.phpbb.com[/url] code.. (no xxxx:// prefix).
$patterns[] = "#\[url\]((www|ftp)\..*?)\[/url\]#is";
$replacements[] = $bbcode_tpl['url2'];
// [url=xxxx://www.phpbb.com]phpBB[/url] code..
$patterns[] = "#\[url=([\w]+?://.*?)\]([^?\n\r\t].*?)\[/url\]#is";
$replacements[] = $bbcode_tpl['url3'];
// [url=www.phpbb.com]phpBB[/url] code.. (no xxxx:// prefix).
$patterns[] = "#\[url=((www|ftp)\..*?)\]([^?\n\r\t].*?)\[/url\]#is";
$replacements[] = $bbcode_tpl['url4'];
// [url="xxxx://www.phpbb.com"]phpBB[/url] code..
$patterns[] = "#\[url="([\w]+?://.*?)"\]([^?\n\r\t].*?)\[/url\]#is"; //closes on first "]
//$patterns[] = "#\[url="([\w]+?://.*?)"\](?![\w\n\s]*"\])([^?\n\r\t].*?)\[/url\]#is"; //closes on last "] //discarded, ambigous
$replacements[] = $bbcode_tpl['url3'];
// [url="www.phpbb.com"]phpBB[/url] code.. (no xxxx:// prefix).
$patterns[] = "#\[url="((www|ftp)\..*?)"\]([^?\n\r\t].*?)\[/url\]#is";
$replacements[] = $bbcode_tpl['url4'];
// [email]user@domain.tld[/email] code..
$patterns[] = "#\[email\]([a-z0-9&\-_.]+?@[\w\-]+\.([\w\-\.]+\.)?[\w]+)\[/email\]#si";
$replacements[] = $bbcode_tpl['email'];
$text = preg_replace($patterns, $replacements, $text);
// Remove our padding from the string..
$text = substr($text, 1);
return $text;
And the unedited phpbb2 declarations:
$bbcode_tpl['url1'] = str_replace('{URL}', '\\1', $bbcode_tpl['url']);
$bbcode_tpl['url1'] = str_replace('{DESCRIPTION}', '\\1', $bbcode_tpl['url1']);
$bbcode_tpl['url2'] = str_replace('{URL}', 'http://\\1', $bbcode_tpl['url']);
$bbcode_tpl['url2'] = str_replace('{DESCRIPTION}', '\\1', $bbcode_tpl['url2']);
$bbcode_tpl['url3'] = str_replace('{URL}', '\\1', $bbcode_tpl['url']);
$bbcode_tpl['url3'] = str_replace('{DESCRIPTION}', '\\2', $bbcode_tpl['url3']);
$bbcode_tpl['url4'] = str_replace('{URL}', 'http://\\1', $bbcode_tpl['url']);
$bbcode_tpl['url4'] = str_replace('{DESCRIPTION}', '\\3', $bbcode_tpl['url4']);
This works perfectly fine with my debugging so far, now I'd like to ask if, by allowing any character to be placed inside the A tag's href attribute I'd exposing my users or myself to any hacker attack?
Say, I tested the javascript URI hack (javascript:) and it doesn't seem to work even on Internet Explorer, and I don't know of any way of injecting a script through the href attribute of an A tag, would there be any risk in allowing my users to type whatever they like (as long as there's either a valid alphanumeric protocol such as *:// or www. which will have a http:// placed prior to it) in the href of tags?
Please note that I'm not considering linking to malicious sites, I want to know if hackers would be able to inject scripts/cookies/whatever through the href of an tag without the user clicking on it!
Now it sounds a little redundant to have a href attribute run anything without its tag being clicked, but anyway, is there a way for a hacker to inject malicious code/javascript in the document through the href attribute?
I haven’t tested it myself, but the following might still work:
[url]javascript://%0Aalert(1)[/url]
[url=javascript://%0Aalert(1)]…[/url]
[url="javascript://%0Aalert(1)"]…[/url]
These should all result in the following JavaScript code as %0A is decoded to a newline character:
//
alert(1)
Next guess: As you’re allowing any character, including the attribute value delimiting ", these might work:
[url]http://example.com/" onclick="alert(1)[/url]
[url=http://example.com/" onclick="alert(1)]…[/url]