Welcome! » Log In » Create A New Profile

XSS using HTML Tag Attributes and Events

Posted by nat 
nat
XSS using HTML Tag Attributes and Events
February 08, 2018 11:43AM

Hi,

I was testing HTML Purifier version 4.7.0 against a set of XSS test inputs. It seems that it is vulnerable to XSS such as with inputs that contain XSS payloads in HTML tags. Some examples are:

<a href="jAvAsCrIpT&colon;alert&lpar;1&rpar;">X</a>

and

<img src onerror /" &#039;"= alt=alert(106)//">//["&#039;`-->] 
]]>

will become

<img src="" alt="alert(106)//"" />//["&#039;`--&gt;]]&gt;]

I am aware that there is a new version of HTML Purifier and this issue might have already been fixed, but I just wanted to inform you nevertheless. I kindly suggest that the whitelist used in the filter restricts HTML tags with these attributes and events to make it more robust against XSS. A full report can be read in our paper, Assessment of Dynamic Open-source Cross-site Scripting Filters as Security Devices in Web Applications.

Thank you.

Re: XSS using HTML Tag Attributes and Events
February 10, 2018 03:59PM

Neither of these examples trigger XSS in Chrome. What browser is interpreting these differently?

Author:
Your Email:

Subject:

HTML input is enabled. Make sure you escape all HTML and angled brackets with &lt; and &gt;.

Auto-paragraphing is enabled. Double newlines will be converted to paragraphs; for single newlines, use the pre tag.

Allowed tags: a, abbr, acronym, b, blockquote, caption, cite, code, dd, del, dfn, div, dl, dt, em, i, ins, kbd, li, ol, p, pre, s, strike, strong, sub, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, var.

For inputting literal code such as HTML and PHP for display, use CDATA tags to auto-escape your angled brackets, and pre to preserve newlines:

<pre><![CDATA[
Place code here
]]></pre>

Power users, you can hide this notice with:

.htmlpurifier-help {display:none;}

Message: