Symphony.

I'm currently building my first "bigger" symphony-based Site and am wondering what might be the best way to keep comments as safe as possible while still somehow formattable.

I simply know way too little about Symphony / Security / PHP / Formatting Syntaxes to figure this out for myself, but as formatting comments is quite a commen task I thought It would be interesting for a lot of people to hear what more experienced symphony-users consider to be the best approach to this.

In general I'd like to stick to the markdown-syntax, but as the markdown-formatter doesn't escape any kind of html or script-elements it doesn't seem to be a good idea to use it for comments... the "Restricted HTML"-formatter looks like a possible solution but a kind of "Restricted Markdown" would be much sweeter - anybody ever built something like that?

And would it be possible to build a custom textarea-field that could perform input validation itself? So that I could add every Syntax without having to worry about malicious code insertion...? I like the idea, but I don't know if this is possible... or even makes sense...

Thanks for any advice & happy new year!

I'm fairly sure the following rules will keep your HTML safe. If anyone can think of more, please add them.

• Don't allow arbitrary HTML elements. (script, iframe, object, etc. are vulnerable.)
• Don't allow arbitrary HTML attributes. (JS event handlers like onclick are vulnerable.)
• Don't allow javascript: URIs in links.

A restricted Markdown formatter would be very useful, and I think we should add this to the existing Markdown extension.

Recently I learnt that the Markdown extension used here on Overture was vulnerable to exploits using javascript: URIs as link targets (and has since been fixed). To test this on your own site, just make sure this Markdown doesn't create a link that produces an alert:

[click me](java$cript:alert('This site is vulnerable.'\))

...substituting "s" for "$" obviously - the patch disallows me from adding a correct example.

Are there any plans to update Symphony's Markdown extension in the near future?

@michael-e: Yes absolutely, but unfortunately the team is swamped with work currently, so I don't want to pester Alistair until after it calms down in a week or so (lest I suffer the wrath of his pointy beard, or his spoon which is apparently way too big).

You don't really have to modify Markdown. Just add a wrapper which will "clean up" what Markdown outputs. Or (sorry for self-promotion ;) use Templated Text Formatters extension :).

@Scott: Thanks for the information! I would love to see an "approved" restricted markdown formatter added to the regular markdown extension. Think this would be of good use for a lot of not-so-php-affine users.
As ahwayakchih said - this probably just would be another wrapper which sanitizes the ouptut of markdown. That's what I did for my current needs. I just borrowed some functions from the Sanitize-Class of CakePHP and it seems to work pretty fine :)

@ahwayakchih: Your TTF was the very first thing I tried out - but I simply didn't really understand how to use it for my needs... I know pretty little about Regex, so the only thing I could use it for is chaining existing formatters - or did I miss something? Would love to see more documentation / examples about how to use it.

Roman, it could be done with some complicated set of regular expressions, but i thought that it will be simpler to just use code already existing on the net and created new formatter template based on Kallahar's code. It's on github ready to be tested :).

edit: modified code, so it keeps html valid.

@ahwayakchih: thanks for your update -- gonna give it a try as soon as I find some time...

Roman, thanks. Please let me know about results - i'll probably extract it into separate module with "regular" text formatter, so people won't have to use templated text formatters extension (though it may be much more useful when chained with Markdown, or Textile, or any other "simple syntax" formatter, i don't want to force people to use additional extensions :).

If you need help testing the filter for security, let me know.

I would suggest using XSLT and the ninja technique to only allow the HTML elements you like. No need for filters, regular expressions or othe medieval techniques. :-)

btw: this thread is more than a year old