NYCPHP Meetup

NYPHP.org

[nycphp-talk] sanitizing user-submitted html

James Wetterau james at surgam.net
Fri May 30 19:06:21 EDT 2003


Chris Snyder says:
> I've whipped up a pcom-to-be that will render user-submitted HTML safe 
> from all of the cross-site-scripting attacks that I'm aware of.
> If you think you know any clever tricks for getting javascript or nasty 
> tags (like <embed>) around text filters, could you please have a go at 
> breaking it?

This submission breaks it:

Strips some attibutes:<br>
<img src='http://fotola.com/berylium/csnyder/?method=latestimage'
onmouseover='whatever(whatever="onmouseover='
alert("gotcha");
alert("I can do anything in here"); 
'/>

Note, it also breaks your page, so the exploit will not be obvious
unless you verify that the attempted "safe" HTML doesn't work by
putting it on a page by itself.  

Your program needs to verify that after it strips the HTML it hasn't
generated unsafe HTML, and it needs a way to avoid getting caught in a
loop doing that.  This is the sort of programming challenge that I
like to model with a state machine.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20030530/f4bc1ba9/attachment.html>


More information about the talk mailing list