WebApp Sec mailing list archives
Re: whitelisting HTML tags
From: "Tomek Perlak" <tomekperlak () tlen pl>
Date: Wed, 2 Nov 2005 10:28:33 -0500
If you can attach an event handler to an html element, element is not quite safe. That would make all of the "on__" attributes unsafe by default (one could imagine a script invoked by onmouseover="doSomething();") This would also make the 'style' atttribute unsafe - as with background image reference you mention;----- Original Message ----- From: "Jeff Robertson" <jeff.robertson () digitalinsight com>
To: <webappsec () securityfocus com> Sent: Tuesday, November 01, 2005 20:43 Subject: whitelisting HTML tags
I need to tell my development to limit the HTML tags allowed in input to a subset that can't be used for XSS. Any guidelines for this? Obviously <SCRIPT> and <IMG> are out.. but I want a whitelist of "safe" tags, not a blacklist of "bad" ones. Also, attributes. A list of attributes for each element that CANNOT introduce script code or references to background images, etc. As we've seen recently with MySpace, allowing HTML and attempting to keep out XSS are nearly contradictory goals, and yet nearly every dyanamic content site deals with it somehow. Are there any existing open source applications that do a particularly good job of this, so that I can just point and say "do it like XXX does"? Developers have suggested using BBCode instead of HTML, but considering that the target audience of end users is probably going to want to copy and paste HTML straight out of FrontPage, I doubt BBCode will fly with the customer.
Current thread:
- whitelisting HTML tags Jeff Robertson (Nov 02)
- Re: whitelisting HTML tags Richard Moore (Nov 02)
- Message not available
- Re: whitelisting HTML tags Richard Moore (Nov 02)
- Message not available
- Re: whitelisting HTML tags Richard Moore (Nov 02)
- Re: whitelisting HTML tags Tomek Perlak (Nov 02)
- Re: whitelisting HTML tags Sverre H. Huseby (Nov 03)
- Re: whitelisting HTML tags bugtraq (Nov 03)
- <Possible follow-ups>
- RE: whitelisting HTML tags Jeff Robertson (Nov 02)
- Re: whitelisting HTML tags Simon Cornelius P. Umacob (Nov 03)
- RE: whitelisting HTML tags RSnake (Nov 03)
- Re: whitelisting HTML tags Tim (Nov 03)
- Re: whitelisting HTML tags Adam Shostack (Nov 04)
- Message not available
- Re: whitelisting HTML tags Adam Shostack (Nov 07)
- RE: whitelisting HTML tags Tim Hollebeek (Nov 07)
- RE: whitelisting HTML tags Tim Hollebeek (Nov 07)