Welcome! » Log In » Create A New Profile

XSS using HTML Tag Attributes and Events

Posted by nat 
nat
XSS using HTML Tag Attributes and Events
February 08, 2018 11:43AM

Hi,

I was testing HTML Purifier version 4.7.0 against a set of XSS test inputs. It seems that it is vulnerable to XSS such as with inputs that contain XSS payloads in HTML tags. Some examples are:

<a href="jAvAsCrIpT&colon;alert&lpar;1&rpar;">X</a>

and

<img src onerror /" &#039;"= alt=alert(106)//">//["&#039;`-->] 
]]>

will become

<img src="" alt="alert(106)//"" />//["&#039;`--&gt;]]&gt;]

I am aware that there is a new version of HTML Purifier and this issue might have already been fixed, but I just wanted to inform you nevertheless. I kindly suggest that the whitelist used in the filter restricts HTML tags with these attributes and events to make it more robust against XSS. A full report can be read in our paper, Assessment of Dynamic Open-source Cross-site Scripting Filters as Security Devices in Web Applications.

Thank you.

Re: XSS using HTML Tag Attributes and Events
February 10, 2018 03:59PM

Neither of these examples trigger XSS in Chrome. What browser is interpreting these differently?

Sorry, you do not have permission to post/reply in this forum.