<a href="http://g.adspeed.net/ad.php?do=clk&zid=14678&wd=728&ht=90&pair=as" target="_top"><img style="border:0px;" src="http://g.adspeed.net/ad.php?do=img&zid=14678&wd=728&ht=90&pair=as" alt="i" width="728" height="90"/></a>

Nmap Security Scanner

Docs
Security Lists

Full Disclosure

More
Security Tools

Packet crafters

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

edgeos network security services platform

WebApp Sec: Re: whitelisting HTML tags

Re: whitelisting HTML tags

From: Sverre H. Huseby <shh_at_thathost.com>
Date: Wed, 2 Nov 2005 16:52:20 +0100

[Jeff Robertson]

| I need to tell my development to limit the HTML tags allowed in
| input to a subset that can't be used for XSS. Any guidelines for
| this?

You need three levels of whitelisting:

* For allowed _tags_

* For allowed _attributes_ for the allowed tags (separate attribute
whitelist for each tag)

To avoid e.g. onload, onclick and stuff

If you allow an "img" tag, you could allow the "src" and "alt"
attributes, and discard the rest.

* For allowed _attribute_values_ for the allowed attributes

To avoid e.g. href="javascript:..."

You would allow src="http:..." and src="ftp:", and discard the
rest.

Sverre.

-- 
shh_at_thathost.com               My web security book: Innocent Code
http://shh.thathost.com/       http://innocentcode.thathost.com/

Received on Nov 03 2005

This message: [ Message body ]
Next message: Ory Segal: "RE: whitelisting HTML tags"
Previous message: Tim: "Re: whitelisting HTML tags"
In reply to: Jeff Robertson: "whitelisting HTML tags"
Next in thread: Ory Segal: "RE: whitelisting HTML tags"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]