WebApp Sec mailing list archives
RE: whitelisting HTML tags
From: "Tim Hollebeek" <tholleb () teknowledge com>
Date: Mon, 7 Nov 2005 11:33:45 -0800
It seems to me simpler to say [b] becomes <b> than to worry if <b> can take an argument.
My point is that it isn't. You write a parser for SimpleHTML that understands "<b>" but doesn't understand "<b ...>". If it sees the latter, it will reject it. Not because you worried about the case, but because it isn't part of the SimpleHTML language. Unless the BBHTML -> SimpleHTML translation is complex, the SimpleHTML parser is no more complex than the BBHTML parser. Actually, it's less complex since it is just parsing, and not doing any translating. This saves you from having to be careful how you put the output together, and making sure it is correct. It's nicer on the users, too: no need to learn new syntax.
It's also harder for someone to come along and transform it from a whitelist function to a blacklist function without properly considering the security implications.
That's a valid point. -Tim
Current thread:
- Re: whitelisting HTML tags, (continued)
- Message not available
- Re: whitelisting HTML tags Richard Moore (Nov 02)
- Re: whitelisting HTML tags Tomek Perlak (Nov 02)
- Re: whitelisting HTML tags Sverre H. Huseby (Nov 03)
- Re: whitelisting HTML tags bugtraq (Nov 03)
- RE: whitelisting HTML tags Jeff Robertson (Nov 02)
- Re: whitelisting HTML tags Simon Cornelius P. Umacob (Nov 03)
- RE: whitelisting HTML tags RSnake (Nov 03)
- Re: whitelisting HTML tags Tim (Nov 03)
- Re: whitelisting HTML tags Adam Shostack (Nov 04)
- Message not available
- Re: whitelisting HTML tags Adam Shostack (Nov 07)
- RE: whitelisting HTML tags Tim Hollebeek (Nov 07)
- RE: whitelisting HTML tags Tim Hollebeek (Nov 07)