WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

RE: whitelisting HTML tags

From: Jeff Robertson <jeff.robertson () digitalinsight com>
Date: Wed, 2 Nov 2005 10:55:23 -0500 
This is exactly the sort of thing I'm looking for. Anyone know of any
libraries (preferably in Java) that already do this?

Jeff Robertson
Manager of Web Application Security
Digital Insight



-----Original Message-----
From: Sverre H. Huseby [mailto:shh () thathost com]
Sent: Wednesday, November 02, 2005 10:52
To: Jeff Robertson
Cc: 'webappsec () securityfocus com'
Subject: Re: whitelisting HTML tags


[Jeff Robertson]

|   I need to tell my development to limit the HTML tags allowed in
|   input to a subset that can't be used for XSS.  Any guidelines for
|   this?

You need three levels of whitelisting:

  * For allowed _tags_

  * For allowed _attributes_ for the allowed tags (separate attribute
    whitelist for each tag)

      To avoid e.g.  onload, onclick and stuff

      If you allow an "img" tag, you could allow the "src" and "alt"
      attributes, and discard the rest.

  * For allowed _attribute_values_ for the allowed attributes

      To avoid e.g.  href="javascript:..."

      You would allow src="http:..." and src="ftp:", and discard the
      rest.


Sverre.

-- 
shh () thathost com               My web security book: Innocent Code
http://shh.thathost.com/       http://innocentcode.thathost.com/
Previous By Date Next
Previous By Thread Next

Current thread: