Welcome to the Invelos forums. Please read the forum rules before posting.

Read access to our public forums is open to everyone. To post messages, a free registration is required.

If you have an Invelos account, sign in to post.

    Invelos Forums->DVD Profiler: Desktop Technical Support Page: 1  Previous   Next
DP Tags in HTML section lack encoding
Author Message
DVD Profiler Unlimited Registrantgoodguy
Sita Sings the Blues
Registered: March 14, 2007
Reputation: Superior Rating
Germany Posts: 1,029
Posted:
PM this userDirect link to this postReply with quote
I think I mentioned that a few times in the past, but since I recently had to deal with something similar in the form of an exploit, I think it is worth mentioning again:

When using DP tags in HTML sections, the data that replaces the DP tag in the generated skin is not HTML encoded, which can lead to bogus display in some cases.

It also means that you can use almost any data field to inject a script into the skin, although the larger ones, like Overview or Easter Eggs, are more suitable. This applies to all skins, including the Default Preview skin.

If I have used DP tags in my skins, I usually dealt with encoding problems by putting the DP tags into <TEXTAREA> blocks. But that's only fine for fixing encoding problems; it doesn't help against script injection.

For HEADER_VARS, encoding is not a problem as the skin has to deal programatically with the variables anyway. Script injection is still possible, though.

If you enter the following text in, for example, your overview:

<script>/* --> </textarea>*/</script><script> alert('gotcha');</script>

the script will always be executed, regardless whether the skin uses the simple <DP NAME="OVERVIEW"> tag, the same tag enclosed in a <TEXTAREA>, or the HEADER_VARS.

Before you start to panic:

I don't think malicious script injection is a real issue, I merely used it to illustrate my point about the lack of encoding.

The screeners and the voters will probably notice if someone submits script code for a data field. Then again, at least a filter for the Online DB to detect such stuff wouldn't hurt either.
Matthias
DVD Profiler Desktop and Mobile Registrantmediadogg
Aim high. Ride the wind.
Registered: March 18, 2007
Reputation: Highest Rating
United States Posts: 6,463
Posted:
PM this userVisit this user's homepageDirect link to this postReply with quote
I think this is an outstanding post, and I totally agree. I plan to put code into BulkEdit to disallow <script> tags in any non-personal text fields. This of course doesn't stop anybody from doing it manually, but at least I'll do my part to prevent a mass insertion.

Hmmm, I'm thinking I might also add an alarm if a <script> tag is detected during edit. Maybe that would be a good thing inside the PCP plugin or inside Database Query also????
Thanks for your support.
Free Plugins available here.
Advanced plugins available here.
Hey, new product!!! BDPFrog.
 Last edited: by mediadogg
DVD Profiler Unlimited RegistrantStar ContributorLewis_Prothero
Strength Through Unity
Registered: May 19, 2007
Reputation: Superior Rating
Germany Posts: 6,730
Posted:
PM this userView this user's DVD collectionDirect link to this postReply with quote
Quoting mediadogg:
Quote:
Hmmm, I'm thinking I might also add an alarm if a <script> tag is detected during edit. Maybe that would be a good thing inside the PCP plugin or inside Database Query also????

Yes please!
But the main task is for Ken to close this.
Even though Matthias thinks that there's no need to panic (and I agree there), history shows that any security vulnerability gets abused sooner or later.

Thanks Matthias
It all seems so stupid, it makes me want to give up!
But why should I give up, when it all seems so stupid?


Registrant since 05/22/2003
DVD Profiler Unlimited RegistrantMark Harrison
I like IMDB
Registered: March 13, 2007
Reputation: Great Rating
United States Posts: 3,321
Posted:
PM this userEmail this userVisit this user's homepageView this user's DVD collectionDirect link to this postReply with quote
Quoting mediadogg:
Quote:
Maybe that would be a good thing inside the PCP plugin or inside Database Query also????


I don't use DP tags or header variables in Database Query.  But you could certainly use it to search for code in those fields already.
Get the CSVExport and Database Query plug-ins here.
Create fake parent profiles to organize your collection.
DVD Profiler Unlimited RegistrantStar ContributorRHo
Registered: March 13, 2007
Posts: 2,759
Posted:
PM this userDirect link to this postReply with quote
Quoting mediadogg:
Quote:
I think this is an outstanding post, and I totally agree. I plan to put code into BulkEdit to disallow <script> tags in any non-personal text fields. This of course doesn't stop anybody from doing it manually, but at least I'll do my part to prevent a mass insertion.

Hmmm, I'm thinking I might also add an alarm if a <script> tag is detected during edit. Maybe that would be a good thing inside the PCP plugin or inside Database Query also????

As long as the data is kept local only and is not contributed, I see no problem with script code in data fields. I can see useful applications of script code in your local database in many fields (e.g. someone could use the overview field for active content).

I don't think that BulkEdit should prevent such code. The correct point for blocking active code in data fields would be the contribution system.
DVD Profiler Desktop and Mobile Registrantmediadogg
Aim high. Ride the wind.
Registered: March 18, 2007
Reputation: Highest Rating
United States Posts: 6,463
Posted:
PM this userVisit this user's homepageDirect link to this postReply with quote
Quoting RHo:
Quote:
I don't think that BulkEdit should prevent such code. The correct point for blocking active code in data fields would be the contribution system.

I see your point. I'll think about it for awhile - maybe we'll get a response from Ken by then. I agree that the contribution system should have the trap. I just feel somewhat responsible to try and prevent my plugin from being a tool that could easily be abused.

Edit: Followed by yet another good point. Damn, you're good! 
Thanks for your support.
Free Plugins available here.
Advanced plugins available here.
Hey, new product!!! BDPFrog.
 Last edited: by mediadogg
DVD Profiler Unlimited RegistrantStar ContributorRHo
Registered: March 13, 2007
Posts: 2,759
Posted:
PM this userDirect link to this postReply with quote
Quoting mediadogg:
Quote:
I just feel somewhat responsible to try and prevent my plugin from being a tool that could easily be abused.

Every tool can be abused. But as long as the same data could have been entered manually into a profile, there is no reason why you should not be able to enter the same data with any other tool.
 Last edited: by RHo
Invelos Software, Inc. RepresentativeKen Cole
Invelos Software
Registered: March 10, 2007
United States Posts: 4,282
Posted:
PM this userEmail this userVisit this user's homepageView this user's DVD collectionDirect link to this postReply with quote
During contribution evaluation, any HTML code like this should show as plain text and not execute.  If you find a way to bypass that, please let me know.  Suspicous contents are also flagged and highlighted for the Invelos evaluators.

Thusfar we haven't seen many instances of this, and those that we have seen appear to be intended for local use.  Bear in mind that any script in the skin is unable to do malicious things like access system resources since the browser runs as untrusted.  However, if we do run into someone intentionally inserting script that shouldn't be there, it will be a one-way ticket to permanent contribution ban.
Invelos Software, Inc. Representative
DVD Profiler Unlimited Registrantgoodguy
Sita Sings the Blues
Registered: March 14, 2007
Reputation: Superior Rating
Germany Posts: 1,029
Posted:
PM this userDirect link to this postReply with quote
Quoting Ken Cole:
Quote:
During contribution evaluation, any HTML code like this should show as plain text...

Which was kinda my point. The simple DP tags should work the same way and create HTML-encoded text. Not only because of the script stuff, but because you can end up with bogus display, if the data field contains special characters like "<", ">" or "&".

The only exceptions to HTML-encoding should be:
- the Overview, where the bold/italic tags should pass through unencoded, if formatting is enabled.
- the Notes, but only if use HTML for Notes is enabled.
Matthias
Invelos Software, Inc. RepresentativeKen Cole
Invelos Software
Registered: March 10, 2007
United States Posts: 4,282
Posted:
PM this userEmail this userVisit this user's homepageView this user's DVD collectionDirect link to this postReply with quote
We do not plan to encode the DP tags locally - if a user chooses to enter that type of data locally, they are free to do so.
Invelos Software, Inc. Representative
    Invelos Forums->DVD Profiler: Desktop Technical Support Page: 1  Previous   Next