WebApp Sec mailing list archives
RE: whitelisting HTML tags
From: "Ory Segal" <osegal () watchfire com>
Date: Thu, 3 Nov 2005 15:41:17 +0200
Hi, Are you aware that XSS is only a subset of HTML tags injection issues? The ability to embed HTML tags in a response page can allow malicious users to modify the page (somewhat like defacement, only it's not permanent, and will work for a specific user only). -Ory -----Original Message----- From: Jeff Robertson [mailto:jeff.robertson () digitalinsight com] Sent: Wednesday, November 02, 2005 3:44 AM To: 'webappsec () securityfocus com' Subject: whitelisting HTML tags I need to tell my development to limit the HTML tags allowed in input to a subset that can't be used for XSS. Any guidelines for this? Obviously <SCRIPT> and <IMG> are out.. but I want a whitelist of "safe" tags, not a blacklist of "bad" ones. Also, attributes. A list of attributes for each element that CANNOT introduce script code or references to background images, etc. As we've seen recently with MySpace, allowing HTML and attempting to keep out XSS are nearly contradictory goals, and yet nearly every dyanamic content site deals with it somehow. Are there any existing open source applications that do a particularly good job of this, so that I can just point and say "do it like XXX does"? Developers have suggested using BBCode instead of HTML, but considering that the target audience of end users is probably going to want to copy and paste HTML straight out of FrontPage, I doubt BBCode will fly with the customer.
Current thread:
- Re: whitelisting HTML tags, (continued)
- Re: whitelisting HTML tags bugtraq (Nov 03)
- RE: whitelisting HTML tags Jeff Robertson (Nov 02)
- Re: whitelisting HTML tags Simon Cornelius P. Umacob (Nov 03)
- RE: whitelisting HTML tags RSnake (Nov 03)
- Re: whitelisting HTML tags Tim (Nov 03)
- Re: whitelisting HTML tags Adam Shostack (Nov 04)
- Message not available
- Re: whitelisting HTML tags Adam Shostack (Nov 07)
- RE: whitelisting HTML tags Tim Hollebeek (Nov 07)
- RE: whitelisting HTML tags Tim Hollebeek (Nov 07)