WebApp Sec mailing list archives

Re: whitelisting HTML tags

From: "Sverre H. Huseby" <shh () thathost com>
Date: Wed, 2 Nov 2005 16:52:20 +0100

[Jeff Robertson]

|   I need to tell my development to limit the HTML tags allowed in
|   input to a subset that can't be used for XSS.  Any guidelines for
|   this?

You need three levels of whitelisting:

  * For allowed _tags_

  * For allowed _attributes_ for the allowed tags (separate attribute
    whitelist for each tag)

      To avoid e.g.  onload, onclick and stuff

      If you allow an "img" tag, you could allow the "src" and "alt"
      attributes, and discard the rest.

  * For allowed _attribute_values_ for the allowed attributes

      To avoid e.g.  href="javascript:..."

      You would allow src="http:..." and src="ftp:", and discard the
      rest.


Sverre.

-- 
shh () thathost com               My web security book: Innocent Code
http://shh.thathost.com/       http://innocentcode.thathost.com/

Current thread:

whitelisting HTML tags Jeff Robertson (Nov 02)
- Re: whitelisting HTML tags Richard Moore (Nov 02)
  - Message not available
    - Re: whitelisting HTML tags Richard Moore (Nov 02)
- Re: whitelisting HTML tags Tomek Perlak (Nov 02)
- Re: whitelisting HTML tags Sverre H. Huseby (Nov 03)
- Re: whitelisting HTML tags bugtraq (Nov 03)
- <Possible follow-ups>
- RE: whitelisting HTML tags Jeff Robertson (Nov 02)
  - Re: whitelisting HTML tags Simon Cornelius P. Umacob (Nov 03)
  - RE: whitelisting HTML tags RSnake (Nov 03)
  - Re: whitelisting HTML tags Tim (Nov 03)
    - Re: whitelisting HTML tags Adam Shostack (Nov 04)
    - Message not available
    - Re: whitelisting HTML tags Adam Shostack (Nov 07)
    - RE: whitelisting HTML tags Tim Hollebeek (Nov 07)
    - RE: whitelisting HTML tags Tim Hollebeek (Nov 07)
- RE: whitelisting HTML tags Evans, Arian (Nov 03)

(Thread continues...)