Yah, there are just so many...I got tons documented...
and I agree... when you allow HTML.. you beg for trouble :)

But there may be a way to implement secure user driven HTML.

Strict ALLOW list of HTML Tags and HTML Attributes.

Make sure the tags and attributes are inheriently
dangerous...

then it may have a good chance of working.

"Sverre H. Huseby" wrote:

> [Jeremiah Grossman]
>
> | <IMG SRC="javascript:javascript_expression">
>
> And both Netscape and IE accept the following variations with white
> space:
>
> <img src="java
> script:alert('script');">
>
> <img src="java&#09;script:alert('script');">
>
> | <IMG SRC="&{javascript_expression};">
>
> That stupid Netscape JavaScript Entity works almost everywhere, like
> in
>
> <br size="&{alert('script');};">
>
> And there are more: IE runs script code when given the following
> constructs:
>
> <p style="left:expression(eval('alert(\'script\')'))">
>
> <style type="text/css">
> import url(javascript:alert('script'));</style>^^
>
> Netscape, Mozilla and MSIE allow body tags anywhere, to be nice I
> guess, but the problem is that body tags may contain scripts too:
>
> <body onload="alert('script')">
>
> I guess there are plenty more. And I guess every browser (yes, there
> are more than Netscape and MSIE) has additional peculiarities (how do
> you spell that word?) too. Who said secure web development was
> supposed to be easy? Allowing some HTML tags without allowing
> scripting is extremely difficult. I've never dared to implement it.
>
> Sverre.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]