Comments inside my posts are getting escaped by the filter and look like this:

<!-- technorati tags start -->

Technorati Tags: Drupal

<!-- technorati tags end -->

My Settings:

    * Lines and paragraphs break automatically.
    * Web page addresses and e-mail addresses turn into links automatically.
    * Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd> <p> <br>
CommentFileSizeAuthor
#7 filter.module.allowHTMLComments.patch4.49 KBharking
#5 filter.module.allowHTMLComments.patch903 bytesharking
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

DiGriz’s picture

DiGriz CreditAttribution: DiGriz commented

Forgot some data...
FreeBSD 6.2-RC1
Server: Apache/2.2.3 (FreeBSD) mod_ssl/2.2.3 OpenSSL/0.9.7e-p1 DAV/2 PHP/5.2.0 with Suhosin-Patch SVN/1.3.1

Steven’s picture

Steven CreditAttribution: Steven commented
Status: Active » Fixed

This was broken by #101775. I committed a fix that restores the old behaviour, which simply removed all HTML comments.

Note that leaving HTML comments in place is very bad from a security point of view, because of various browser inconsistencies in parsing them. It is better to be safe than sorry.

Anonymous’s picture

(not verified) CreditAttribution: commented
Status: Fixed » Closed (fixed)
harking’s picture

harking CreditAttribution: harking commented
Version: 5.0-rc1 » 5.10
Component: base system » filter.module
Status: Closed (fixed) » Active

Steven, can you provide some examples of how enabling the HTML comments would be a security issue?

We currently need to utilize them in order to allow a standards compliant way of embedding flash video. See http://code.google.com/p/swfobject/

Thanks

harking’s picture

harking CreditAttribution: harking commented
Status: Needs work » Active
FileSize
filter.module.allowHTMLComments.patch903 bytes

I've attached a small patch to the filter.module that enables HTML comments to pass through the filter. It needs more testing and is probably the wrong route to approach the problem. I'll have to read through the filter.module code again to find the correct way.

This patch adds

to the list of matches which will be passed into filter_xss_split. It also removes the > character as a match (probably incorrectly) in order to catch the case of <!-- [if IE]>--> being turned into <!--[if IE]&gt;-->

harking’s picture

harking CreditAttribution: harking commented
Status: Active » Needs work
harking’s picture

harking CreditAttribution: harking commented
Status: Active » Needs work
FileSize
filter.module.allowHTMLComments.patch4.49 KB

Here is an updated patch. It now is deactivated by default (filter will remove the html comments) and can be enabled per Input Format.

Tested using the following: regular comment, conditional comment, multi line comment, and SWFObject:

<!-- Shouldn't see this but it should be in the source -->
<!--[if gte IE 6]> 
<h2>Should see this on IE6+</h2> <![endif]--> 
<!--[if IE]>
<script>
alert('testo on IE')</script> 
<![endif]-->
<!-- 
Multi
Line
Comment
-->
<!-- -->
<h2>SWFObject Object Embed</h2>
<object classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" height="260" id="media-container" width="320">
	<param name="movie" value="http://video.cws.oregonstate.edu/player.swf?file=gqzvh-std.mp4&amp;image=http%3A//video.cws.oregonstate.edu/gqzvh-std.jpg&amp;fullscreen=true">
	</param>
	<!--[if !IE]>--> 	
	<object data="http://video.cws.oregonstate.edu/std/gqzvh.swf" height="260" type="application/x-shockwave-flash" width="320">
		<!--<![endif]--> 	
		<param name="allowfullscreen" value="true">
		</param>
		<param name="allowscriptaccess" value="always">
		</param>
		<div class="shadow-left-caption">
		<img alt="Space Shuttle screenshot" src="http://video.cws.oregonstate.edu/gqzvh-std.jpg" />
		<p>
		This media requires <a href="http://www.adobe.com/go/getflashplayer">Adobe Flash Player</a>. 
		</p>
		</div>
		<!--[if !IE]>--> 	
	</object>
	<!--<![endif]--> 	
	<param name="allowfullscreen" value="true">
	</param>
	<param name="allowscriptaccess" value="always">
	</param>
</object>
harking’s picture

harking CreditAttribution: harking commented
Status: Needs work » Needs review
mcurry’s picture

mcurry CreditAttribution: mcurry commented

subscribing

drumm’s picture

drumm
he/him
Location NY, US
CreditAttribution: drumm commented
Status: Needs review » Closed (works as designed)

The conditional comments show exactly how HTML comments can do more than just commenting. I am not aware of other malicious uses offhand, but there may be cases where a browser interprets a specially-crafted comment.

You are already allowing object tags, the user can include remote applets, flash, movies and other plugins. Go ahead and just don't use HTML filtering in this case, such as the default Full HTML input format. Do make sure you trust users with permission to do this; know who they are and make sure they have an understanding of phishing and basic computer security.

Alternatively, use a module designed to embed media, such as http://drupal.org/project/emfield.

deviantintegral’s picture

deviantintegral CreditAttribution: deviantintegral commented
Version: 5.10 » 5.16
Status: Closed (works as designed) » Needs review

The patch in #7 works for me against Drupal 5.16. Pending a resolution about the validity of this I can do a full review.

I and others have written modules which use comments as markup for content. The main advantage is that when the input filters are disabled, the markup doesn't end up displaying to users (like how it would for img_assist's markup). I used this because I "did what core did", modelling after <!-- break-->. While for the object tag full HTML makes sense, there are many other use cases where it doesn't. This essentially represents an API change, so even if such markup is discouraged in the future, I think it should be supported for D5 (and possibly D6; haven't had a chance to test yet).

In terms of browser security, comments are a part of the XHTML specification. If they are doing things beyond the spec that they shouldn't do, then IMO that's not our problem and it's up to the browser to be fixed.

Other modules which are affected by this can be found at a similar issue against HTML corrector at #222926: HTML Corrector filter escapes HTML comments.

drumm’s picture

drumm
he/him
Location NY, US
CreditAttribution: drumm commented
Status: Needs review » Closed (works as designed)

Is this an API change? When did Drupal 5 support HTML comments passing through the HTML filters?

We have to consider browser security of what browsers actually do, not the specs.

This might want to be moved up to the development version.

neochief’s picture

neochief CreditAttribution: neochief commented
Status: Closed (works as designed) » Closed (duplicate)

#222926: HTML Corrector filter escapes HTML comments