WebApp Sec mailing list archives
Re: whitelisting HTML tags
From: Adam Shostack <adam () homeport org>
Date: Mon, 7 Nov 2005 14:00:54 -0500
On Mon, Nov 07, 2005 at 10:46:49AM -0800, Tim Hollebeek wrote: | | > I'm fond of the BB/Markdown sorts of solutions, which use an | > HTML-like language which you translate into HTML. If your | > parser tosses things it doesn't understand, this can be a | > good solution to the (often real) requirement of "we need to | > let users enter more than plain text." | | You're proposing a small language L where the input is translated | into a safe subset of HTML if the input is in L, and rejected otherwise. | | What are the advantages of this over the special case L = the safe | subset (and the translation is the identity function), which we were | discussing? It seems to me simpler to say [b] becomes <b> than to worry if <b> can take an argument. It's also harder for someone to come along and transform it from a whitelist function to a blacklist function without properly considering the security implications. User input functions will break, and so QA will more easily notice the shift. Adam
Current thread:
- Re: whitelisting HTML tags, (continued)
- Re: whitelisting HTML tags Richard Moore (Nov 02)
- Message not available
- Re: whitelisting HTML tags Richard Moore (Nov 02)
- Message not available
- Re: whitelisting HTML tags Richard Moore (Nov 02)
- Re: whitelisting HTML tags Tomek Perlak (Nov 02)
- Re: whitelisting HTML tags Sverre H. Huseby (Nov 03)
- Re: whitelisting HTML tags bugtraq (Nov 03)
- RE: whitelisting HTML tags Jeff Robertson (Nov 02)
- Re: whitelisting HTML tags Simon Cornelius P. Umacob (Nov 03)
- RE: whitelisting HTML tags RSnake (Nov 03)
- Re: whitelisting HTML tags Tim (Nov 03)
- Re: whitelisting HTML tags Adam Shostack (Nov 04)
- Message not available
- Re: whitelisting HTML tags Adam Shostack (Nov 07)
- RE: whitelisting HTML tags Tim Hollebeek (Nov 07)
- RE: whitelisting HTML tags Tim Hollebeek (Nov 07)