Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.The font size given in a size tag is not checked and translates directly into the respective font-size CSS style. Malicious users could use text with font sizes > 1000 and obstruct the use of the thread, depending on the theme.
A fix would be to edit the respective regular expresson in bbcode-filter.inc to only match values between 6 and 48, but I seem to be missing the regexp skills to come up with such an expression.
Comments
Comment #1
naudefj commentedThis issue is already mentioned in the README file's TO DO section.
Problem is that one cannot construct a regular expression to check numeric ranges. One would need to write a validation function for each tag that needs to be checked, or introduce a new parser that is not regular expression-based.
Anyone willing to tackle this?
Comment #2
linulo commentedWhat are allowed values in [size] tags? Just numbers representing height in pixels? If so I am confident it can be done with a regular expression. The more flexible approach would of course be a dedicated function. I will have a deeper look in the code in the near future but cannot yet promise to come up with a solution anytime soon.
Comment #3
naudefj commentedThe HEAD version of BBCode was changed to restrict [SIZE=x] to 1 or 2 digits ([0-9]{1,2}). So, the range is now 0-99 -- slightly better, but not quite there yet.
If you now of a better way, please let me know!
Comment #4
linulo commentedThanks for your fast response.
My first idea were conditional regexps, but configuration of the maximum and minimum size would be cumbersome at least. I think your fix is just fine for now. I still am going to see if I can write a function to make it configurable.
Comment #5
naudefj commentedProblem fixed - see http://cvs.drupal.org/viewcvs/drupal/contributions/modules/bbcode/bbcode...
Comment #6
linulo commentedBeautiful, thank you.
Comment #7
(not verified) commented