Welcome! » Log In » Create A New Profile

Removing XSS attempts only

Posted by asagb 
Removing XSS attempts only
November 18, 2010 07:42PM

I've been using HTMLPurifier for a few years now and can't say enough how great a tool it is.

I have an application now that only requires removal of malicious scripts and xss from HTML source, but nothing more than that (no well-formness or standardization required). Is there an easy way to slim down the functionality of HTMLPurifier so that it works only as I described? If so, how can I go about that? If not, can you recommend the best tool for the job?

Thanks Tony

Re: Removing XSS attempts only
November 18, 2010 08:03PM

No, such functionality goes against the design philosophy of HTML Purifier.

Re: Removing XSS attempts only
November 19, 2010 05:37PM

I understand.

The problem we face is that we sometimes find users inputting their own html into our site (which we want to allow) but they are inputting non-well-formed html which often breaks our pages because of dangling tags or other various errors in their source.

Our only solution was to instead display their html in an iframe to isolate it from the rest of the page. For security, we've tried simply applying HTML Purfier to the source before it is displayed in the iframe, but this often changes or removes elements in the source (which is expected). While all we really want to do is protect against XSS. Being that the source is isolated in an iframe and standardization is not so much a concern for us, do you know any other means of protecting ourselves from XSS attacks via the iframe? Is something we should even be concerned about since the iframed source is isolated from the main source of the site?

Thank you, Tony

Re: Removing XSS attempts only
November 19, 2010 09:32PM

Some websites have successfully used the Same-origin policy to sandbox JavaScript content into a domain where they can't cause mischief. I will note the following caveats for iframe'ing them onto a trusted domain:

  • JavaScript can be used to "bust out" of a frame and replace the current page; this represents a phishing vulnerability.
  • Just because the JavaScript is in an iframe doesn't mean it doesn't run... it can still do mean stuff
Sorry, you do not have permission to post/reply in this forum.