Today we were looking for a BBCode interpreter. Primarily a .NET development team, after some frantic googling to see there was anything that we could use in the hope it has been tried, tested, and ultimately secure, there was a possibility.
Googling for ‘.NET bbcode’ results in this at the top of the page: http://bbcode.codeplex.com. Looks promising, and even confirms what we are after in the blurb:
We have used Pex (http://research.microsoft.com/en-us/projects/Pex/) to extensively test some important properties of this BBCode-Parser. We used Pex to ensure that the parser never crashes and that it never emits any dangerous tag such as , no matter what the input was. The user can type any HTML he wants but it will just get encoded, even when it is in unusual places like the href-attribute of the url-tag. If you have any questions about this you can post them on http//codekicker.de if you speak german. In other cases you can contact us by email in english.
So what went wrong. Well the first thing is the way in which [url] tags are dealt with:
Which results in the following HTML:
<img src=" " />
And for good reason. It’s extremely easy to google for a library and have multiple sources tell you ‘this is secure, use this’. Always remember to security test your libraries before implementing.
Thanks to http://jeffchannell.com/Other/bbcode-xss-howto.html for the excellent bbcode injection examples and a great resource if you are attempting to test your own BBCode solution.