dbo Posted October 27, 2007 Share Posted October 27, 2007 What methods do you guys use to combat XSS attacks while still allowing users to contribute rich content via WYSIWYG editors and the like. I know there are third party scripts that will help filter this stuff, but I really prefer not to go that way. If you think this makes the most sense please justify your answer so I might be sold on the idea I appreciate any thoughts. Quote Link to comment Share on other sites More sharing options...
448191 Posted October 27, 2007 Share Posted October 27, 2007 This depends on your idea of 'rich content'. Basic HTML is mostly safe, with the exception of anything that loads external objects. And then still most of them are low risk. So your safest bet is a whitelist. Example whitelist of the top of my head: br p hr table tr td div span font Low risk: style (url) a img form (and form elements) object High risk: script link Elements in the 'low risk' category can potentially pose a high risk, if you do not take precautions. As I said, loading external objects poses a risk. A browser can be fooled to send the cookie header along with the request. Setting the right cookie parameters negates most of this risk, but better safe than sorry. Anyone on the same shared host can potentially steal your users' cookies by linking to an external object under a different port, yet the same domain name. Cookies are not port specific. A simple socket server can do that. High risk is allowing javascript. Basically anything that potentially allows javascript to be executed on the page sent to the client should be avoided like the plague (don't forget the javascript pseudo-protocol!). Cookie theft is trivial with javascript. A pretty good source for security related issues is www.cgisecurity.com. Quote Link to comment Share on other sites More sharing options...
Mastodont Posted October 27, 2007 Share Posted October 27, 2007 I know there are third party scripts that will help filter this stuff, but I really prefer not to go that way. Reinventing the wheel is another way, but not too smart, IMHO. What's wrong with HTML Purifier and similar solutions? Quote Link to comment Share on other sites More sharing options...
dbo Posted October 27, 2007 Author Share Posted October 27, 2007 I'm fairly familiar with how it works, I also know you can add javascript to about any HTML element, like uh; onclick="javascript:alert('evil xss')" or some crap. So I can allow the basic elements just fine, it's if I allow any styling and stuff that it becomes dangerous very quickly. That's not even getting into the mess where it could potentially be added as hex or something. As for the html purifier etc, this particular application I'm not sure if I want to opensource it or not and depending on the interpretation of the GPL this could be considered a derivative work even though the focus of the application really has very little to do with what html purifier brings. Quote Link to comment Share on other sites More sharing options...
Mastodont Posted October 27, 2007 Share Posted October 27, 2007 But it is distributed under LGPL, not GPL ... Quote Link to comment Share on other sites More sharing options...
dbo Posted October 27, 2007 Author Share Posted October 27, 2007 Touche Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.