RE: whitelisting HTML tags

["Ory Segal" <osegal () watchfire com>]

Hi,

Are you aware that XSS is only a subset of HTML tags injection issues? 

The ability to embed HTML tags in a response page can allow malicious
users to modify the page (somewhat like defacement, only it's not
permanent, and will work for a specific user only).

-Ory


-----Original Message-----
From: Jeff Robertson [mailto:jeff.robertson () digitalinsight com] 
Sent: Wednesday, November 02, 2005 3:44 AM
To: 'webappsec () securityfocus com'
Subject: whitelisting HTML tags

I need to tell my development to limit the HTML tags allowed in input to
a subset that can't be used for XSS.

Any guidelines for this? Obviously <SCRIPT> and <IMG> are out.. but I
want a whitelist of "safe" tags, not a blacklist of "bad" ones. Also,
attributes. A list of attributes for each element that CANNOT introduce
script code or references to background images, etc.

As we've seen recently with MySpace, allowing HTML and attempting to
keep out XSS are nearly contradictory goals, and yet nearly every
dyanamic content site deals with it somehow. Are there any existing open
source applications that do a particularly good job of this, so that I
can just point and say "do it like XXX does"?

Developers have suggested using BBCode instead of HTML, but considering
that the target audience of end users is probably going to want to copy
and paste HTML straight out of FrontPage, I doubt BBCode will fly with
the customer.