<a href="http://g.adspeed.net/ad.php?do=clk&zid=14678&wd=728&ht=90&pair=as" target="_top"><img style="border:0px;" src="http://g.adspeed.net/ad.php?do=img&zid=14678&wd=728&ht=90&pair=as" alt="i" width="728" height="90"/></a>

Nmap Security Scanner

Docs
Security Lists

Full Disclosure

More
Security Tools

Packet crafters

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

edgeos network security services platform

WebApp Sec: Re: whitelisting HTML tags

Re: whitelisting HTML tags

From: <bugtraq_at_cgisecurity.net>
Date: Wed, 2 Nov 2005 10:45:03 -0500 (EST)

> I need to tell my development to limit the HTML tags allowed in input to a
> subset that can't be used for XSS.
>
> Any guidelines for this? Obviously <SCRIPT> and <IMG> are out.. but I want a
> whitelist of "safe" tags, not a blacklist of "bad" ones. Also, attributes. A
> list of attributes for each element that CANNOT introduce script code or
> references to background images, etc.

Even if you whitelist certain tags, script execution may still be possible in tag attributes.

Example:

<IMG SRC="javascript:alert(document.cookie);">

Other Examples: http://ha.ckers.org/xss.html

- admin_at_cgisecurity.com
http://www.cgisecurity.com/
Received on Nov 03 2005

This message: [ Message body ]
Next message: Adam Shostack: "Re: whitelisting HTML tags"
Previous message: Ory Segal: "RE: whitelisting HTML tags"
In reply to: Jeff Robertson: "whitelisting HTML tags"
Next in thread: Adam Shostack: "Re: whitelisting HTML tags"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]