[nycphp-talk] sanitizing user-submitted html
James Wetterau
james at surgam.net
Fri May 30 17:06:39 EDT 2003
Chris Snyder says:
> I've whipped up a pcom-to-be that will render user-submitted HTML safe
> from all of the cross-site-scripting attacks that I'm aware of.
> If you think you know any clever tricks for getting javascript or nasty
> tags (like <embed>) around text filters, could you please have a go at
> breaking it?
This submission breaks it:
Strips some attibutes:<br>
<img src='http://fotola.com/berylium/csnyder/?method=latestimage'
onmouseover='whatever(whatever="onmouseover='
alert("gotcha");
alert("I can do anything in here");
'/>
Note, it also breaks your page, so the exploit will not be obvious
unless you verify that the attempted "safe" HTML doesn't work by
putting it on a page by itself.
Your program needs to verify that after it strips the HTML it hasn't
generated unsafe HTML, and it needs a way to avoid getting caught in a
loop doing that. This is the sort of programming challenge that I
like to model with a state machine.
--- Unsubscribe at http://nyphp.org/list/ ---
More information about the talk
mailing list