Sanitize Plugin

This plugin has been deprecated. The Santize plugin was incorporated (and extended) into Movable Type 2.6. For more information about this and how you would go about uninstalling this plugin, please read this article.

Sanitize is a Movable Type plugin that allows you to clean HTML and other markup that might exist in an comment entry. Read on for more information about how it works and what it's for. If you're using Movable Type and allow HTML comments on your site, you really need to read this...

Availability

The plugin referred to here is available here: mtsanitize-1_2.zip.

Description

Movable Type has a nasty little security problem. Well, it isn't the fault of Movable Type actually. It's something you get when you allow HTML in your comments, combined with using PHP, ASP, JSP, or simple SSI for processing your pages. For example-- what if someone were to put this in their comment (on a blog that allows HTML comments):

<?php readfile("/etc/passwd") ?>

Well, that would print out the contents of the /etc/passwd file on your server. Worse yet, they could reference other files readable by Movable Type-- such as mt-db-pass.cgi (which holds the password for a Movable Type installation that uses MySQL for storing the blog content).

Well, the quick fix to this problem is to disallow HTML comments. But if you want to keep your HTML comments and strip them of unsafe tags, you can use the Sanitize plugin to clean them up. Here's how you might use it:

<MTCommentBody
  sanitize_html="a href,b,br,p,strong,em,ul,li">

The tags listed in the 'sanitize_html' attribute are the tags that are allowed. Any tags not listed will be removed. In addition, the JSP, ASP, PHP and SSI markups are automatically stripped out to prevent abuse. Attributes must also be specified (as of the 1.1 update). To specify attributes, add a space after the tag name, then follow that with each allowed attribute name, putting a space to delimit each of them. If you want to allow an attribute for ALL allowed tags, add a '*' as a tag name, followed by the list of attribute names.

One more feature of the Sanitize plugin is that while it scans the HTML for tags, it keeps up with which tags have been opened and closed. By the end of the data, if there are any tags that weren't closed, it will append closure tags for each of them. 'Runaway tags' are commonplace when you allow HTML in your comments-- a bold tag is opened but the commenter doesn't close it, so all the following content becomes bold too. But Sanitize will add that closing bold tag in such a case.

If you have questions, complaints or problems with this plugin, please post them here within the comments for this entry.

TrackBack

TrackBack URL for this entry:
http://bradchoate.com/mt/feedback/tb/392

Listed below are links to weblogs that reference Sanitize Plugin:

» Sanitary comments from Kalsey Consulting Group
The Sanitize plugin improves security for outside HTML on Movable Type Weblogs. [Read More]

» Deny everything from Kalsey Consulting Group
When thinking security, only open what is neccessary. Block everything else, including the unknown. [Read More]

» MTCleanHTMLPlugin has a "competitor" from 0xDECAFBAD
Like the MTCleanHTMLPlugin I released a little while ago, Brad Choate's new MT Sanitize Plugin appears to do the same job. I haven't tried it yet, but since I'm using a pile of Brad's plugins and have based all of mine upon his examples, I'm assuming i... [Read More]

» sanitize plugin from scriptygoddess.com
Worried about people posting malicious code in your comments, but still want the functionality of HTML enabled comments?? You might [Read More]

» Sanitize Plugin: para limpiar los abusos de HTML en los Comments. from mini-d
No es ninguna mala idea, Sanitize lo debe hacer bien... limpiar todo tipo de errores que la gente escribe en [Read More]

» /bradchoate/ is the funniest subdirectory on my server. from Live in the Delirious Cool
OH MY GOD IT DIDNT WORK! It worked in the "preview" thing, I swear!!! If you didn't watch the Amazing [Read More]

» sanitize plugin from Girlie's Tips and Tricks
Get thee post haste to Brad Choate's site and pick up the MT Sanitize plugin! Apply to all of your [Read More]

» Sanitized for our protection from Backup Brain
New MT plugin added here: Brad Choate's Sanitize Plugin. If all goes well, you shouldn't notice anything a'tall. But I [Read More]

» Calling security ... from ***Dave Does the Blog
Haven't installed MT 2.5 yet, but I found something I'll be installing at the same time: Brad Choate's Sanitize Plugin. [Read More]

» Just a Tip... from Big Pink Cookie
I have seen posts around the weblog world about people signing up for NaNoWriMo. (No, I am not one of [Read More]

» Now with 23% More Functionality! from Maximum Aardvark
Remember that unpleasantness from early October? Sometime around then I disabled HTML in comments to this site (because I don't want to have to look at a man's gaping asshole [Read More]

» sanitize plugin from scriptygoddess.com
Worried about people posting malicious code in your comments, but still want the functionality of HTML enabled comments?? You might [Read More]

» Sanitize your comments from The Ducks of Plato
Theory had it today was supposed to be concentrating on sorting out the XHTML validation issues that I've got on [Read More]

» plugin maddness from blakecam.com | rant
i have been working like mad installing a number of scripts and movabletype plugins to [Read More]

» PHP and more from J : Da Blog
My page now has a .php extension. I've probably been living under a rock, but I had no idea you [Read More]

» Blog: How My Blog Works from Richy's Random Ramblings
How my blog works, what software (and plugins) are used and how it all sticks together. [Read More]

» MT sanitize plugin from anil dash's daily links
http://www.bradchoate.com/past/mtsanitize.php [Read More]

» No Explosions At My House from Team Murder
After hearing about Spring ninety thousand times from people that really should know what they're talking about I wandered over [Read More]

» Now with 23% More Functionality! from Maximum Aardvark
Remember that unpleasantness from early October? Sometime around then I disabled HTML in comments to this site (because I don't want to have to look at a man's gaping asshole [Read More]

» So far, so good from Jonathon Delacour
Happily, the move seems to have worked. I was able to see the new server less than 24 hours after changing the DNS. It's such a relief to be on a Linux server instead of IIS—the support people at my previous host were excellent but I love being a... [Read More]

» Do you have protection? from As deep as a puddle after a hard rain
For my MT buddies:: I'm not all up on the bad that can happen through allowing HTML in comments, but better to be safe than sorry right? I installed Brad Choate's Sanitize Plug-in and it was pretty simple going. You guys may want to look into it, if yo... [Read More]

» ctrl+c ctrl+v from TummyMonsters
i've been a happy little copy and paster the last couple of days. i finally got around to installing the [Read More]

» there's a hole in your blog from kd: a blog
well, there might be. if you allow HTML in your comments, you could have the same thing happen to you [Read More]

» http://retrogra.de/archives/2003/01/26/.html from retrogra.de
Und wieder zwei kleine Updates vollendet. Zum einen die "Top 20 Referrers" auf der Indexseite und auf den Seiten der [Read More]

» Pay no attention to that man behind the curtain from retrogra.de
Und wieder zwei kleine Updates vollendet. Zum einen die "Top 20 Referrers" auf der Indexseite und auf den Seiten der [Read More]

» Movable Type version 2.6 is just around the corner from The Maelström
Une nouvelle version mineure de Movable Type sera disponible bientôt (dans 2 ou 3 semaines). Si vous ne savez pas [Read More]

» Rogue Tags, Serendipitous Plugins from Tangleweeds
So I had a major adventure posting yesterday's message, and made an entirely uninformed decision that it happened because the [Read More]

» Movable Type 2.6 from Erik's Weblog
Movable Type 2.6 was released today and I just upgraded to the new version. Since I spread the different MT [Read More]

» Movable Type 2.6 from Erik's Weblog
Movable Type 2.6 was released today and I just upgraded to the new version. Since I spread the different MT [Read More]

» Movable Type 2.6 from Erik's Weblog
Movable Type 2.6 was released today and I just upgraded to the new version. Since I spread the different MT [Read More]

» Movable Type 2.6 from Erik's Weblog
Movable Type 2.6 was released today and I just upgraded to the new version. Since I spread the different MT [Read More]

» Movable Type 2.6 from Erik's Weblog
Movable Type 2.6 was released today and I just upgraded to the new version. Since I spread the different MT [Read More]

» Movable Type 2.6 from Erik's Weblog
Movable Type 2.6 was released today and I just upgraded to the new version. Since I spread the different MT [Read More]

» Sanitize Usage from ManiacalRage
Based on some changes I made around here, and a question posed by shawnmorrison last night, I'm gonna post a few quick notes about Brad Choate's Sanitize plugin for Movable [Read More]

» Sanitize Usage from ManiacalRage
Based on some changes I made around here, and a question posed by shawnmorrison last night, I'm gonna post a few quick notes about Brad Choate's Sanitize plugin for Movable [Read More]

» Sanitize Usage from ManiacalRage
Based on some changes I made around here, and a question posed by shawnmorrison last night, I'm gonna post a few quick notes about Brad Choate's Sanitize plugin for Movable [Read More]

» Sanitize Usage from ManiacalRage
Based on some changes I made around here, and a question posed by shawnmorrison last night, I'm gonna post a few quick notes about Brad Choate's Sanitize plugin for Movable [Read More]

» Sanitize Usage from ManiacalRage
Based on some changes I made around here, and a question posed by shawnmorrison last night, I'm gonna post a few quick notes about Brad Choate's Sanitize plugin for Movable [Read More]

» Sanitize Usage from ManiacalRage
Based on some changes I made around here, and a question posed by shawnmorrison last night, I'm gonna post a few quick notes about Brad Choate's Sanitize plugin for Movable [Read More]

» Sanitize Usage from ManiacalRage
Based on some changes I made around here, and a question posed by shawnmorrison last night, I'm gonna post a few quick notes about Brad Choate's Sanitize plugin for Movable [Read More]

» All things Movable Type from dive into mark
Movable Type 2.6 is out. Here's what's new, and how to use it. [Read More]

» Upgrades from Anger Management Course
I upgraded to MT 2.63. It runs flawlessly. The main... [Read More]

» Upgrades from Anger Management Course
I upgraded to MT 2.63. It runs flawlessly. The main... [Read More]

» Upgrades from Anger Management Course
I upgraded to MT 2.63. It runs flawlessly. The main... [Read More]

» Upgrades from Anger Management Course
I upgraded to MT 2.63. It runs flawlessly. The main... [Read More]

» Upgrades from Anger Management Course
I upgraded to MT 2.63. It runs flawlessly. The main... [Read More]

» damned hackers from sometimes daily
If you're running Movable Type (pre v2.6) and don't have the Sanitize plugin, grab a copy and install it. Better... [Read More]

» Just a Tip... from Big Pink Cookie
I have seen posts around the weblog world about people signing up for NaNoWriMo. (No, I am not one of... [Read More]

» Sanitize Plugin from daily bLog by snotch
Sanitize plugin introduction for japanese. [Read More]

» MT Plugins from Opinion
A couple more MT plugins from the prolific Brad Choate have been added to the system. First is Sanitise, which allows unwanted HTML to be stripped from comment displays. This was due to a problem caused by a closing tag being cropped by the recent comm... [Read More]

» MT Plugins from Opinion
A couple more MT plugins from the prolific Brad Choate have been added to the system. First is Sanitise, which allows unwanted HTML to be stripped from comment displays. This was due to a problem caused by a closing tag being cropped by the recent comm... [Read More]

» MT Plugins from Opinion
A couple more MT plugins from the prolific Brad Choate have been added to the system. First is Sanitise, which allows unwanted HTML to be stripped from comment displays. This was due to a problem caused by a closing tag being cropped by the recent comm... [Read More]

» ctrl+c ctrl+v from TummyMonsters
i've been a happy little copy and paster the last couple of days. i finally got around to installing the [Read More]

» Just like riding a bicycle from Take the First Step
They say that programming in a language is just like riding a bicycle [Read More]

» Just like riding a bicycle from Take the First Step
I decided to borrow some code from Brad Choate's Movable Type Sanitize Plugin. Fortunately, the code was available as a perl module and easy to add. [Read More]

» Sanitize Usage from ManiacalRage
Based on some changes I made around here, and a question posed by shawnmorrison last night, I'm gonna post a few quick notes about Brad Choate's Sanitize plugin for Movable... [Read More]

» Movable Type version 2.6 is just around the corner from The Maelström - Blog
Une nouvelle version mineure de Movable Type sera disponible bientôt (dans 2 ou 3 semaines). Si vous ne savez pas ce qu'est Movable Type je vous invite à lire leur FAQ sur leur site. Movable Type est un outil permettant... [Read More]

» MT Plugins from Opinion
A couple more MT plugins from the prolific Brad Choate have been added to the system. First is Sanitise, which allows unwanted HTML to be stripped from comment displays. This was due to a problem caused by a closing tag being cropped by the recent comm... [Read More]

» MT Plugins from Opinion
A couple more MT plugins from the prolific Brad Choate have been added to the system. First is Sanitise, which allows unwanted HTML to be stripped from comment displays. This was due to a problem caused by a closing tag being cropped by the recent comm... [Read More]

» Upgrades from Anger Management Course
I upgraded to MT 2.63. It runs flawlessly. The main... [Read More]

» Rogue Tags, Serendipitous Plugins from Tangleweeds
So I had a major adventure posting yesterday's message, and made an entirely uninformed decision that it happened because the [Read More]

18 Comments

How about stripping attributes from allowed tags (well, not href from a, but other than that)? I don't mind letting people make things bold, but I'd just as soon they don't make them style="color:lime; font-size:80px"

Brad Choate said:

You could do that using the Macro plugin. Ie:

<MTMacroDefine ctag="a" name="comment_a" no_case="1">
<MTMacroAttr name="style" remove="1"><MTMacroTag rebuild="1"><MTMacroContent></a>
</MTMacroDefine>

Then for your CommentBody tag:

<MTCommentBody apply_macros="m/^comment_/">

l.m.orchard said:

Hey there... I've got a similar plugin to this (MTCleanHTMLPlugin), based on code I borrowed from LiveJournal. One thing that they do that would be good to consider is extensive filtering out of javascript-enabling atttributes (ie. onclick, onmouseover, etc). Nasty things have been known to happen down that road. You could probably do something like that fairly simply by having a list of allowed attributes per tag, as well as allowed tags.

Eduardo said:

Brad, Great plug-in! Just a couple of comments:

1. It closes tags that don't need to be closed, like the image tag.

2. It closes tags after the closing closing paragraph tag added by MT, so that the order of tags is not standard, i.e., p b /p /b, rather than p b /b /p.

3. If there's a br tag in the line, it doesn't close the b tag.

I don't know if all this matters to the Web browser, so maybe it's not that important.

girlie said:

Sorry about those double pings - the first time I saved the entry, the URL stayed in the box as though the ping had failed - at least, I thought that's what it meant. Hmmmm.

Hi! I’m currently configuring my blog to use your plugin, but I was wondering:

My website uses XHTML. So I was wondering if your plugin supports elements from other namespaces, like xml:lang.

Thanks for making this plugin!

 — minger

michel v said:

Erm, it's not a problem with HTML. It's a problem with Movable Type, for God's sake. Its comments section is insecure out of the box.
And with its thousands users... it only took almost a year to notice MT allowed just anything to pass without first checking it's secure ? I don't mean to badmouth MT, for in my mouth it would sound very biased, but please... LMAO, this is incredible :P
Thank God (or Rasmus and friends) for PHP's strip_tags() function, which does just what you did.

By the way, I just noticed you should also change any style, class, id attribute into a safer title attribute in the comments. This avoids defacements such as this one.
(OK, so b2 was vulnerable to such ridicule 0wnage too until tonight, but at least it doesn't come with a giant security issue in the comments form by default, eheh ;)

Ben said:

michel -- MT is *not* insecure out of the box. By default, all files have the extension .html. There may be some obnoxious Javascript tricks that could be pulled using that configuration, but certainly nothing like the things you can do with PHP, SSI, etc.

Now, it's true that the documentation could have been more clear about the dangers of using .php and .shtml as file extensions *with* static comments, but to say that this insecurity exists out of the box is completely false.

michel v said:

OK, I retract that statement about MT being insecure out of the box.
But just because files have the extension .html by default doesn't mean comment data shouldn't be sanitised by default before being inserted in the database, don't you think ? :)

Ben said:

Actually, it is (well, it's sanitized before being displayed on a public page, at least).

Another default in a new MT blog is that HTML in comments is not allowed. So by default, all HTML in comments is completely stripped out--this includes both valid HTML tags and PHP/SSI/JSP/etc.

So in order to make it insecure you actually have to change the file extensions *and* check "allow HTML in comments". I forgot to mention that last night.

Anyway, yes, Brad's plugin is great, and it definitely fills a need.

TeledyN said:

Do you take plugin requests? ;) ... I'd like to propose a de-sanitizer (defiler??) that basically goes the otherway, it takes straight text and produces HTML. Since you've posted a geekcode ;) then the technical word for what I would most like to see is a WikiText plugin.

This would seem most similar to your santizer, and I think folding the easy-markup of WikiText into blogspace would open up blogging for a lot more people. We just need to look at the size of Wikipedia to see that everyday people have no trouble with WikiText, but there's no way we're going to get more than 10% of the population using inline HTML.

what do you think? doable? desireable?

Sam said:

A suggestion that occurred to me recently. I've noticed that when people post HTML comments, and accidentally put in a line break (by pressing enter while typing, not with a <br> tag) in the middle of a tag, stuff stops working. For example, an image might not display, or other annoying things like that.

I'm pretty sure it would be an easy fix that could tie in nicely with the checking for a close tag, but I'm a perl retard, and thus cannot implement it myself.

Just a suggestion :)

Norm Jenson said:

A question from a novice. After creating the directories and installing the files Is it correct that I replace with in the comment template

nardo said:


An error occurred:

bradchoate/sanitize.pm did not return a true value at plugins/sanitize.pl line 28.

this is my code:

recognise this error?

thanks, nardo

Brian said:

I think this plugin is stripping the target from my href's. The target="_blank" exists in the comment entry but is not getting through to the HTML. Do I need to include something for target in my allowable tags? I tried including target already.

girlie said:

Quote:

"One more feature of the Sanitize plugin is that while it scans the HTML for tags, it keeps up with which tags have been opened and closed. By the end of the data, if there are any tags that weren’t closed, it will append closure tags for each of them."

Can this be refined a bit? I'm having a little trouble, which is easiest explained by pointing you to the second page of this support forum thread. It may be closing a tag for me prematurely?? Or do you think it's something else causing this?

Thanks! Love the new site, btw!

Garrett said:

To allow the target tag, put this in your allowed tags:

a href target

Additionally, you can include title as well, allowing someone to create a full link.

Jason said:

What's the correct way to declare a singular tag with attributes?

img src width height alt/

Or

img/ src width height alt

About

This article was published on October 3, 2002 12:25 AM.

The article previously posted was MIT OpenCourseWare Pilot.

The next article is Nasdaq Threatens to Delist Nasdaq.

Many more can be found on the home page or by looking through the archives.

Powered by Movable Type