WebApp Sec mailing list archives

Re: whitelisting HTML tags

From: bugtraq () cgisecurity net
Date: Wed, 2 Nov 2005 10:45:03 -0500 (EST)

I need to tell my development to limit the HTML tags allowed in input to a
subset that can't be used for XSS.

Any guidelines for this? Obviously <SCRIPT> and <IMG> are out.. but I want a
whitelist of "safe" tags, not a blacklist of "bad" ones. Also, attributes. A
list of attributes for each element that CANNOT introduce script code or
references to background images, etc.


Even if you whitelist certain tags, script execution may still be possible in tag attributes.

Example:

<IMG SRC="javascript:alert(document.cookie);">

Other Examples: http://ha.ckers.org/xss.html


- admin () cgisecurity com
http://www.cgisecurity.com/

Current thread:

whitelisting HTML tags Jeff Robertson (Nov 02)
- Re: whitelisting HTML tags Richard Moore (Nov 02)
  - Message not available
    - Re: whitelisting HTML tags Richard Moore (Nov 02)
- Re: whitelisting HTML tags Tomek Perlak (Nov 02)
- Re: whitelisting HTML tags Sverre H. Huseby (Nov 03)
- Re: whitelisting HTML tags bugtraq (Nov 03)
- <Possible follow-ups>
- RE: whitelisting HTML tags Jeff Robertson (Nov 02)
  - Re: whitelisting HTML tags Simon Cornelius P. Umacob (Nov 03)
  - RE: whitelisting HTML tags RSnake (Nov 03)
  - Re: whitelisting HTML tags Tim (Nov 03)
    - Re: whitelisting HTML tags Adam Shostack (Nov 04)
    - Message not available
    - Re: whitelisting HTML tags Adam Shostack (Nov 07)
    - RE: whitelisting HTML tags Tim Hollebeek (Nov 07)
    - RE: whitelisting HTML tags Tim Hollebeek (Nov 07)
- RE: whitelisting HTML tags Evans, Arian (Nov 03)
- RE: whitelisting HTML tags Ory Segal (Nov 03)