OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: User input validation
From: Elias Levy (aleph1SECURITYFOCUS.COM)
Date: Wed Nov 29 2000 - 10:54:10 CST

* Jaanus Kase (j.kasePRIVADOR.COM) [001129 16:33]:
>
> In your case above, when a user enters a piece of HTML, it would be
> displayed as "raw" HTML to other users. However, I want that user-entered
> HTML is be displayed to other users as normal interpreted HTML, while
> filtering out malicious content. If I enter <b>bold text</b>, it would be
> left untouched, and displayed to other users as bold. However, I don't want
> to allow users to exploit the newest trendy JavaScript/ActiveX/... tags, so
> I must take care to filter out unwanted tags and also parameters.
>
> It seems that in this case, "allow certain tags" approach may again be
> useful - only allow a specific set of HTML tags without parameters, like
> <b>, <i>, <a href>, <u>, and filter out everything else. This means, among
> other things, constructing a sort of your own HTML parser, because while I
> want to allow links (can the href= attribute also contain malicious content,
> besides pointing to a file which itself contains some exploits?), I don't
> want to allow other attributes.

Correct. You would need to parse the HTML and remove any tags you
did not which to display. The are plenty of routines out there that
parse HTML or XML that you could use. The danger here is that most
browser are willing to parse non-compliant HTML. E.g.
<b><i>foo</b></i> Should be invalid as one container does not
completely enclose the other. Caveat emptor.

> Regards,
> Jaanus Kase - tel +372 50 79 276
> Privador. Defenders of the e. http://www.privador.com 

--
Elias Levy
SecurityFocus.com
http://www.securityfocus.com/
Si vis pacem, para bellum