RE: Preventing cross site scripting

[Jeremiah Grossman <jeremiah () whitehatsec com>]

This post reminded me of another potential gotcha in HTML/JS filtering.
All filtering activities should actually replace data with something,
not just remove the data altogether.

Example, the following input string:

<BAD<BADTAG>TAG></BAD</BADTAG>TAG>

would result in the following if a remove system were in place:

<BADTAG></BADTAG>

Which could be harmful if rendered.
However, if the tag were to be replaced:

<BAD<X>TAG></BAD</X>TAG>

We get a tad more html rendering safety.


this filtering stuff gets fun eh.


Regards,

Jer-




On Thu, 2003-06-19 at 19:16, Mutallip Ablimit wrote:
> Yes, replace all of the unacceptable tags with "", it will work fine.
> And for a plus,
> PHP has a strip_tags() function.
> Didn't have tried yet, but I think it could be used to remove all
> unacceptable tags.
> In this case, may be you have to make a list of all allowed tags.
>
> strip_tags($Text, "<allowed tag>");
>
> This will only allows the "<allowed tag>".
>
> Regards,
>
> -----------
> Mutellip Ablimit
> INSI
> mutax () insi co jp
>
> -----Original Message-----
> From: David Cameron [mailto:dcameron () itis-now com]
> Sent: Friday, June 20, 2003 10:51 AM
> To: Andrew Beverley; webappsec () securityfocus com
> Subject: RE: Preventing cross site scripting
>
>
> Create a list of unacceptable tags in an array (eg applet, embed), loop
> through the array and generate a regexpr based on the array, something of
> the form:
> <(applet)|(embed).?> and replace all instances with "".
>
> Do the same for any possible closing tags ie:
> </(applet)|(embed)> and replace all instances with "".
>
> BTW the RegExpr may be wrong, I'm not all that hot on RegExprs, but you get
> the idea.
>
> regards
> David Cameron
> nOw.b2b
> dcameron () itis-now com
>
> > -----Original Message-----
> > From: Andrew Beverley [mailto:mail () andybev com]
> > Sent: Friday, 20 June 2003 4:28 AM
> > To: webappsec () securityfocus com
> > Subject: Preventing cross site scripting
> >
> >
> > I am currently writing a web application that, as a small part of it,
> > needs to display an email message. Obviously the message is
> > potentially
> > in html format, which to display could be sent straight to
> > the browser.
> >
> > I would like to know the best way of filtering out undesirable html. I
> > understand the best way is to only allow acceptable
> > information, in this
> > case all the different html formatting tags.
> >
> > However, there is a lot of tags that are acceptable. Another approach
> > would be to strip out all the bad stuff such as <SCRIPT>, <OBJECT>,
> > <APPLET>, and <EMBED> but this is far from ideal because of new tags
> > becoming available and so on.
> >
> > Are there any functions available (for php) that will take a html page
> > as input and strip out all nasty stuff? Does anyone have
> > suggestions as
> > to how to do this as easy as possible?
> >
> > Thanks,
> >
> > Andrew Beverley
-- 




Jeremiah Grossman
Chief Executive Officer
WhiteHat Security, Inc.
Tel: 408.492.1817

===========================================================
 This message and any files transmitted with it, may 
 contain confidential and privileged information. This 
 message is intended solely for the use of the individual 
 or entity to whom it is addressed. If the message has 
 been sent to you in error, please reply to inform the 
 sender of the error and then delete this message. You 
 are notified that reliance on, disclosure of, 
 distribution or copying of this message is prohibited.                 
                                                                                
 WhiteHat Security, Inc.                                
===========================================================