WebApp Sec mailing list archives
Re: HTML entity bignums
From: "Ulf Harnhammar" <metaur () operamail com>
Date: Wed, 30 Jul 2003 13:37:52 +0100
Hello list and Ingo!
- - output filtering: HTML/XML output is only acceptable from trusted sources, i.e.
The problem I've been thinking about lately, because of working on my HTML filter kses, is how to allow some HTML input (elements and entities) without being insecure. There are lots of steps you have to take to parse and rebuild stuff, as you wrote, and one step that some other people have forgotten about is to check numeric entities and limit their size. That's what I wanted to point out with my post. One situation where this might be a real issue is when you check that URLs only have allowed protocols like "http:" and "https:", and not any others like "javascript:" and "about:". If the user can insert colons that the code doesn't recognize, he or she (usually he..) can fool this URL protocol checking part of the filter. This could possibly lead to this XSS hole, if the rest of the filter allows frames: <frame src="javascript [bignum_entity_for_colon] alert(57)"> Parts of your post seem to deal with a situation where all HTML elements and entities should be disarmed, but that problem is simpler. In web mail systems and web forums, you often want to allow some HTML constructs, and that's the problem I'm trying to solve. // Ulf Harnhammar kses - PHP HTML/XHTML filter http://sourceforge.net/projects/kses -- ____________________________________________ http://www.operamail.com Get OperaMail Premium today - USD 29.99/year Powered by Outblaze
Current thread:
- HTML entity bignums Ulf Harnhammar (Jul 29)
- Re: HTML entity bignums Ingo Struck (Jul 29)
- Global Web App Security Sity Pessoft (Jul 30)
- <Possible follow-ups>
- Re: HTML entity bignums Ulf Harnhammar (Jul 30)
- Re: HTML entity bignums Ingo Struck (Jul 30)
- Re: HTML entity bignums Ulf Harnhammar (Jul 31)
- Re: HTML entity bignums Ingo Struck (Jul 29)