Jump to content

Recommended Posts

What methods do you guys use to combat XSS attacks while still allowing users to contribute rich content via WYSIWYG editors and the like. I know there are third party scripts that will help filter this stuff, but I really prefer not to go that way. If you think this makes the most sense please justify your answer so I might be sold on the idea :P I appreciate any thoughts.

Link to comment
https://forums.phpfreaks.com/topic/74962-solved-whats-the-best-way-to-avoid-xss/
Share on other sites

This depends on your idea of 'rich content'. Basic HTML is mostly safe, with the exception of anything that loads external objects. And then still most of them are low risk. So your safest bet is a whitelist.

 

Example whitelist of the top of my head:

 

  • br
  • p
  • hr
  • table
  • tr
  • td
  • div
  • span
  • font

 

Low risk:

 

  • style (url)
  • a
  • img
  • form (and form elements)
  • object

 

High risk:

 

  • script
  • link

 

Elements in the 'low risk' category can potentially pose a high risk, if you do not take precautions. As I said, loading external objects poses a risk. A browser can be fooled to send the cookie header along with the request. Setting the right cookie parameters negates most of this risk, but better safe than sorry. Anyone on the same shared host can potentially steal your users' cookies by linking to an external object under a different port, yet the same domain name. Cookies are not port specific. A simple socket server can do that.

 

High risk is allowing javascript. Basically anything that potentially allows javascript to be executed on the page sent to the client should be avoided like the plague (don't forget the javascript pseudo-protocol!). Cookie theft is trivial with javascript.

 

A pretty good source for security related issues is www.cgisecurity.com.

 

 

 

 

I know there are third party scripts that will help filter this stuff, but I really prefer not to go that way.

 

Reinventing the wheel is another way, but not too smart, IMHO. What's wrong with HTML Purifier and similar solutions?

I'm fairly familiar with how it works, I also know you can add javascript to about any HTML element, like uh; onclick="javascript:alert('evil xss')" or some crap. So I can allow the basic elements just fine, it's if I allow any styling and stuff that it becomes dangerous very quickly. That's not even getting into the mess where it could potentially be added as hex or something.

 

As for the html purifier etc, this particular application I'm not sure if I want to opensource it or not and depending on the interpretation of the GPL this could be considered a derivative work even though the focus of the application really has very little to do with what html purifier brings.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.