Security Overview for reBB
Implemented Security Measures
1. Input Validation
- Form name parameters are sanitized using
preg_replace to allow only alphanumeric characters, underscores, and hyphens
- JSON data is properly decoded and validated before use
2. Sensitive Information Detection
- Forms are scanned for sensitive keywords
- Warning is displayed to users when sensitive information is requested
3. Dangerous JavaScript Detection
- Forms are now scanned for potentially dangerous JavaScript patterns
- Detection includes:
- Executable code (eval, setTimeout, setInterval)
- DOM manipulation (innerHTML, outerHTML)
- Event handlers (onclick, onload, onerror)
- Network requests (fetch, XMLHttpRequest)
- Storage manipulation (localStorage, sessionStorage)
- Navigation manipulation (window.location, window.open)
- Embedded content (iframe, script tags)
- Data URI schemes
4. Security Confirmation Mechanism
- When dangerous JavaScript is detected, form loading is blocked
- Clear warning is displayed with specific threats identified
- Users must explicitly confirm they understand the risks to proceed
- Option to safely return to the index page
5. File Path Security
- File paths are constructed safely to prevent directory traversal attacks
- Form files are limited to the designated forms directory
6. Content Security
- Content-Type headers are properly set for different response types
- HTML output is escaped to prevent XSS attacks
How the Security System Works
- When a form is requested, the system loads the form schema JSON file
- The system scans both the schema and template for dangerous patterns
- If dangerous patterns are detected, a security overlay blocks access
- The user must explicitly acknowledge the risk to proceed
- Security warnings use a separate CSS file for styling
- All detected threats are listed for transparency
This security system provides a good balance between user protection and functionality, allowing users to make informed decisions about potentially risky forms.