Interview with Edward Z. Yang

In case you haven't known this before, Edward Z. Yang is the man behind HTML Purifier, which is a highly effective whitelist filter to prevent Cross Site Scripting. I recommend to remember his name by the way.

A couple of days ago I thought it would be a good idea to interview him about his product in order to promote it, pretty funny that Chris Shiflett apparently had the same idea.

Thanks to Edward for answering my questions. I hope you enjoy it as much as I did.

1) Could you tell my readers a few words about yourself?
Hi, my name is Edward Z. Yang, and I am responsible for bringing HTML Purifier into this world. As a PHP programmer, you'll also find me helping other people with their questions at DevNetwork forums and contributing to PHP's documentation.

2) What is HTML Purifier and whats so special about it?
HTML Purifier is a standards-compliant HTML filter. What makes it special is the keyword "standards-compliant"; HTML Purifier operates off of the principle that if you implement the HTML spec, you can create a foolproof filter. HTML Purifier knows everything there is to know about HTML: valid attributes, content models, CSS, chameleon tags, etc. Plus, it attempts to fix poorly written HTML, rather than emit cryptic error messages.

3) What is technically required to use it?
HTML Purifier is written in PHP and has been tested with PHP 4.3.2 or higher. I have, however, had individuals contact me about interfacing with the library from other programming languages: while no port of HTML Purifier currently exists (last I heard, someone was attempting a Java port, but I am not sure if it ever came to fruition), it is not difficult to create a wrapper command line script to call HTML Purifier with.

4) When did you start working on your product and what was your intention at that time?
The concept of HTML Purifier emerged the Spring of 2006. However, I had been toying around with the idea as far back as 2005; originally, I needed some way to filter HTML for a literature management system (now defunct). One class survived from that original body of code: MarkupLexer, which was essentially a token based HTML parser; everything else followed.

5) What kind of feedback did you receive after the first release?
The first public beta was released on August 16, 2006; the 1.0.0 release followed shortly after on September 1st. I vaguely remember the response being lukewarm: the original pitch went to members of DevNetwork forum who loved the library, but I didn't do very much publicity: I submitted a Digg story which got 7 diggs (2.0.0 didn't do much better, but I diversified and HTML Purifier was a hit over at DZone and del.icio.us)

6) Who does actually use the Purifier today?
The four projects I know of that use HTML Purifier by default are BitWeaver, PHProjekt, Lilina and TikiWiki (BitWeaver hasn't officially released the HTML Purifier enabled version yet). We also have extensions available for Drupal, Wordpress, and Modx. And then, of course, there are developers from all over the world (I've talked to French, Japanese, Chinese and German users of HTML Purifier) using HTML Purifier.

7) You have a comparison between HTML Purifier and similar filtering solutions on your website. Could you summarize the results?
In a nutshell, the comparison states that HTML Purifier is better than the rest. ::laughs:: Of course, no one would believe me if I said just that, so the document is pretty lengthy. Most of the filters use blacklists, which are fundamentally insecure, and I've also noticed that most of them don't seem to be actively maintained, which is a big no-no in combination with blacklists. None of them can offer standards-compliance, although SafeHTMLChecker comes close, and none of them offer standards-compliance and at the same time try to correct poorly written HTML.

8) You have recently released version 2.0.0 and 2.0.1. Could you describe the major improvements to previous versions?
HTML Purifier 2.0 adds the Tidy module (nothing to do with HTMLTidy, by the way) and Advanced API which effectively make HTML Purifier feature-complete with regards to HTML filtering. There's a little more work to be done with cleaning up MSWord HTML, but users have all the facilities they need to implement custom HTML tags and attributes. 2.0.1 is your average stability/maintenance release, but it also sneaks in a number of experimental features such as error reporting and auto-paragraphing.

9) What do you think about the present status of Web application security in general?
It's still far too easy to do the wrong thing. While helping out newbies at DevNetwork, this is quite evident: people will come in because their code doesn't work, and we'll end up also fixing SQL injections, XSS vectors, and poor coding in general. But things are getting better, there's more literature out there on security and general awareness of the issue has been rising.

10) Is there anything left you want to say?
For more information, you can check out the library at its website, or poke it at the demo.

Thanks!

Planet-Websecurity.org is launching

Those of you who have spoken to me recently may already be aware of this project, but for those who don't, I am pleased to announce the launch of Planet Websecurity, founded with the intention to bring together similarly themed news and rants related to Web security and to display them in one place.

There isn't currently much on the site, except for the articles located in an archive which allows you to browse through previous entries as well as a search facility that may help you to find articles on topics you are particularly interested in.

Last but not least there is an RSS feed, subscribers to which are highly appreciated. If you would like to contribute to the planet, you're more than welcome to send me an e-mail or use the proposal form.

Ultimately I hope this site helps to keep track of what is going on in the business and last, but not least, many thanks to all contributors.

Google Says Thank You

Some of you might have seen that there was something going on with 40+ security vulnerabilities on YouTube and an ultimatum issued by me. Well, that is correct. Now let me explain what happened.

A couple of months ago I discovered several security holes on YouTube, what I have already mentioned earlier on my blog. Apparently YouTube didn't respond to my reports and continued adding new features with new critical holes. The result after a few weeks was indeed around about 40 or even more XSS vulnerabilities on a Website acquired by Google with hundreds of thousands of users each day.

I've been in the security industry for quite some time now, long enough to be able to assess the possible consequences and the likelyness of a severe attack on such a site. Over time, especially Social Networking sites will definitely become a favored target for Web Worms that might even propagate on more than one site. What happened on MySpace back in 2005 was in fact just an idea of what could happen if we would be faced with an XSS based Warhol Worm. Yeah, Samy proved that this is not too far of base and I know that other security researchers agree with me on this matter.

So in case you are still wondering, I choosed the path of responsible disclosure instead of just releasing all vulnerabilities to the public because I don't want something like that to happen.

A few days after I issued the ultimatum, Google Security contacted me and we could successfully fix all known vulnerabilities. I have also talked with Hunter Walk who is Product Manager at YouTube and suggested him to set up a security response team at YouTube to make sure that issues like these are better routed in the future. He promised me to take care of that.

I appreciate this because I think that when a company has a well working security response team and credits reports appropriately, researchers will be way more motivated to report what they have found.

The Google Security Team is already doing that and publicly thanks me on http://www.google.com/corporate/security.html. Additionally they sent me a Google t-shirt, which is really cool ;)

I think they have learned their lesson from all the noise.

PHPIDS released

We are proud to announce the first stable release of our earlier discussed PHP Intrusion Detection System or simply PHPIDS. As from now, you will find the project page including a demo, trac and moreover a forum on http://php-ids.org/.

At this point, I would like to thank everyone who helped to improve the quality of the IDS, notably RSnake for providing ha.ckers and sla.ckers.org, Ronald van den Heetkamp for his continuous assistance, Kishor for circumventing (and by that enhancing) our rules numerous times and of course Martin Hinks for porting PHPIDS to .NETIDS. Many thanks also to the webappsec mailinglist.

Feedback is still more than welcome, either by commenting on this post or via the google group.

For my german readers, here is Mario Heiderich's statement:
http://mario.heideri.ch/phpids-der-erste-offizielle-release/

Thanks everybody!

I've got my unique XSS book

Thanks to Jeremiah Grossman from WhiteHat Security, I finally received a signed version of the new XSS book most of you might know. It took only three days from the USA to Germany and I'm looking forward to read it.

If you don't already have a copy I recommend to buy it.

Special thanks again go to Jeremiah, I owe you. Maybe we will meet some day.