Welcome! » Log In » Create A New Profile

Purify attributes without tags

Posted by seb 
Purify attributes without tags
May 26, 2017 11:26AM

Hi, it is possible to purify attributes without tags to counter reflected XSS ?

Example : We have an url like http://site.com/?param=xxx

In the code the parameter is retrieved in $param and cleaned by htmlpurifier, and we echo :

<div data-attr="<?php echo $param ?>" ></div>

if we try a input with something like :

xxx" onload="alert(1) 

the output will look like :

<div data-attr="xxx" onload="alert(1)" ></div>

And the XSS will work...

Btw this is just an example and finally every XSS are purified when they are in HTML tags, but not purified when there is no tags in the input.

I would like to remove all js attributes like onload, onmouseover, ... even if they are not in HTML tag. Do you know any way to do it with this library ?


Re: Purify attributes without tags
May 28, 2017 09:39PM

Whether or not a value is safe for an attribute depends on the attribute in question. For example, it would be fine to put "javascript:alert(1)" in the alt attribute of an img tag, but not in the src!

For the specific case of data-attr, the safety of the value depends entirely on who is consuming it (I guess you have some JS code which is reading it?) So I cannot give any advice here because data-attr is a wholly custom attribute whose semantics are specified on a per application basis.

Your Email:


HTML input is enabled. Make sure you escape all HTML and angled brackets with &lt; and &gt;.

Auto-paragraphing is enabled. Double newlines will be converted to paragraphs; for single newlines, use the pre tag.

Allowed tags: a, abbr, acronym, b, blockquote, caption, cite, code, dd, del, dfn, div, dl, dt, em, i, ins, kbd, li, ol, p, pre, s, strike, strong, sub, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, var.

For inputting literal code such as HTML and PHP for display, use CDATA tags to auto-escape your angled brackets, and pre to preserve newlines:

Place code here

Power users, you can hide this notice with:

.htmlpurifier-help {display:none;}