WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: HTML entity bignums

From: "Ulf Harnhammar" <metaur () operamail com>
Date: Wed, 30 Jul 2003 13:37:52 +0100
Hello list and Ingo!


- - output filtering:
  HTML/XML output is only acceptable from trusted sources, i.e. 


The problem I've been thinking about lately, because of working on my HTML filter kses, is how to allow some HTML input 
(elements and entities) without being insecure. There are lots of steps you have to take to parse and rebuild stuff, as 
you wrote, and one step that some other people have forgotten about is to check numeric entities and limit their size. 
That's what I wanted to point out with my post.

One situation where this might be a real issue is when you check that URLs only have allowed protocols like "http:" and 
"https:", and not any others like "javascript:" and "about:". If the user can insert colons that the code doesn't 
recognize, he or she (usually he..) can fool this URL protocol checking part of the filter. This could possibly lead to 
this XSS hole, if the rest of the filter allows frames:  <frame src="javascript [bignum_entity_for_colon] alert(57)">

Parts of your post seem to deal with a situation where all HTML elements and entities should be disarmed, but that 
problem is simpler. In web mail systems and web forums, you often want to allow some HTML constructs, and that's the 
problem I'm trying to solve.

// Ulf Harnhammar
   kses - PHP HTML/XHTML filter
   http://sourceforge.net/projects/kses

-- 
____________________________________________
http://www.operamail.com
Get OperaMail Premium today - USD 29.99/year


Powered by Outblaze
Previous By Date Next
Previous By Thread Next

Current thread: