WebApp Sec mailing list archives
whitelisting HTML tags
From: Jeff Robertson <jeff.robertson () digitalinsight com>
Date: Tue, 1 Nov 2005 20:43:50 -0500
I need to tell my development to limit the HTML tags allowed in input to a subset that can't be used for XSS. Any guidelines for this? Obviously <SCRIPT> and <IMG> are out.. but I want a whitelist of "safe" tags, not a blacklist of "bad" ones. Also, attributes. A list of attributes for each element that CANNOT introduce script code or references to background images, etc. As we've seen recently with MySpace, allowing HTML and attempting to keep out XSS are nearly contradictory goals, and yet nearly every dyanamic content site deals with it somehow. Are there any existing open source applications that do a particularly good job of this, so that I can just point and say "do it like XXX does"? Developers have suggested using BBCode instead of HTML, but considering that the target audience of end users is probably going to want to copy and paste HTML straight out of FrontPage, I doubt BBCode will fly with the customer.
Current thread:
- whitelisting HTML tags Jeff Robertson (Nov 02)
- Re: whitelisting HTML tags Richard Moore (Nov 02)
- Message not available
- Re: whitelisting HTML tags Richard Moore (Nov 02)
- Message not available
- Re: whitelisting HTML tags Richard Moore (Nov 02)
- Re: whitelisting HTML tags Tomek Perlak (Nov 02)
- Re: whitelisting HTML tags Sverre H. Huseby (Nov 03)
- Re: whitelisting HTML tags bugtraq (Nov 03)
- <Possible follow-ups>
- RE: whitelisting HTML tags Jeff Robertson (Nov 02)
- Re: whitelisting HTML tags Simon Cornelius P. Umacob (Nov 03)
- RE: whitelisting HTML tags RSnake (Nov 03)
- Re: whitelisting HTML tags Tim (Nov 03)
- Re: whitelisting HTML tags Adam Shostack (Nov 04)