Re: whitelisting HTML tags

["Tomek Perlak" <tomekperlak () tlen pl>]

If you can attach an event handler to an html element, element is not quite
safe. That would make all of the "on__" attributes unsafe by default (one
could imagine a script invoked by onmouseover="doSomething();")

This would also make the 'style' atttribute unsafe - as with background
image reference you mention;

----- Original Message ----- 
From: "Jeff Robertson" <jeff.robertson () digitalinsight com>
To: <webappsec () securityfocus com>
Sent: Tuesday, November 01, 2005 20:43
Subject: whitelisting HTML tags


> I need to tell my development to limit the HTML tags allowed in input to a
> subset that can't be used for XSS.
>
> Any guidelines for this? Obviously <SCRIPT> and <IMG> are out.. but I want
> a
> whitelist of "safe" tags, not a blacklist of "bad" ones. Also, attributes.
> A
> list of attributes for each element that CANNOT introduce script code or
> references to background images, etc.
>
> As we've seen recently with MySpace, allowing HTML and attempting to keep
> out XSS are nearly contradictory goals, and yet nearly every dyanamic
> content site deals with it somehow. Are there any existing open source
> applications that do a particularly good job of this, so that I can just
> point and say "do it like XXX does"?
>
> Developers have suggested using BBCode instead of HTML, but considering
> that
> the target audience of end users is probably going to want to copy and
> paste
> HTML straight out of FrontPage, I doubt BBCode will fly with the customer.