WebApp Sec mailing list archives
RE: whitelisting HTML tags
From: "Evans, Arian" <Arian.Evans () fishnetsecurity com>
Date: Wed, 2 Nov 2005 10:56:24 -0600
Jeff, I spent a lot of time look for one for my personal website, and I could not find a Java or .NET(insert_syntax) library to do this. (Rolling_my_own != weekend_freetime) In the end I selected the Post-NUKE PHP framework because they had all this pre-rolled. It's very granular. Take a look at how they've implemented controls. Looking at their code, I think a c# or java implementation would not be hard. <aside> I'm quite fond of it; I allow myself a few more attributes than users and non-users, as certain of my friends/coworkers have been known to generate 100's and 1,000's of alerts from my "app_IDS" module by their attempted "posts". :) Some were quite creative and helped me identify unusual XSS opportunities. One XSS I've left active on my site because (a) it's never going to impact me and (b) only two people have been able to find it, and not one scanner. </aside> A helpful resource in addition to the Post-NUKE code if you decide to roll-your-own-whitelist include reviewing the XSS attack variants on: http://ha.ckers.org/xss.html Which is also in the awesome new OWASP Guide 2.0.1, which I'm sure you've probably read. This will give you a feel for common tag and element injections if you're not already intimately familiar. -ae
-----Original Message----- From: Jeff Robertson [mailto:jeff.robertson () digitalinsight com] Sent: Wednesday, November 02, 2005 9:55 AM To: 'Sverre H. Huseby' Cc: 'webappsec () securityfocus com' Subject: RE: whitelisting HTML tags This is exactly the sort of thing I'm looking for. Anyone know of any libraries (preferably in Java) that already do this? Jeff Robertson Manager of Web Application Security Digital Insight-----Original Message----- From: Sverre H. Huseby [mailto:shh () thathost com] Sent: Wednesday, November 02, 2005 10:52 To: Jeff Robertson Cc: 'webappsec () securityfocus com' Subject: Re: whitelisting HTML tags [Jeff Robertson] | I need to tell my development to limit the HTML tags allowed in | input to a subset that can't be used for XSS. Anyguidelines for| this? You need three levels of whitelisting: * For allowed _tags_ * For allowed _attributes_ for the allowed tags (separateattributewhitelist for each tag) To avoid e.g. onload, onclick and stuff If you allow an "img" tag, you could allow the "src" and "alt" attributes, and discard the rest. * For allowed _attribute_values_ for the allowed attributes To avoid e.g. href="javascript:..." You would allow src="http:..." and src="ftp:", and discard the rest. Sverre. -- shh () thathost com My web security book: Innocent Code http://shh.thathost.com/ http://innocentcode.thathost.com/
Current thread:
- Re: whitelisting HTML tags, (continued)
- Re: whitelisting HTML tags Sverre H. Huseby (Nov 03)
- Re: whitelisting HTML tags bugtraq (Nov 03)
- RE: whitelisting HTML tags Jeff Robertson (Nov 02)
- Re: whitelisting HTML tags Simon Cornelius P. Umacob (Nov 03)
- RE: whitelisting HTML tags RSnake (Nov 03)
- Re: whitelisting HTML tags Tim (Nov 03)
- Re: whitelisting HTML tags Adam Shostack (Nov 04)
- Message not available
- Re: whitelisting HTML tags Adam Shostack (Nov 07)
- RE: whitelisting HTML tags Tim Hollebeek (Nov 07)
- RE: whitelisting HTML tags Tim Hollebeek (Nov 07)