ansaurus

Question

How do you allow the usage of an <img> while preventing XSS?

Answer 1

+1 A:

Use an XML parser to validate your input, and drop or encode all elements, and attributes, that you do not want to allow. In this case, delete or encode all tags except the <img> tag, and all attributes from that except src, alt and title.

Thomas 2008-09-21 03:17:11

Also URLs that don't start with http:// should be disallowed as well (especially javascript:)

rpetrich 2008-09-21 04:09:33

Answer 2

+3 A:

If IMG is the only thing you'd allow, I'd suggest you use a simple square-bracket syntax to allow it. This would eliminate the need for a parser and reduce a load of other dangerous edge cases with the parser as well. Say, something like:

Look at this! [http://a.b.c/m.jpg]

Which would get converted to

Look at this! <img src="http://a.b.c/m.jpg" />

You should filter the SRC address so that no malicious things get passed in the SRC part too. Like maybe

Look at this! [javascript:alert('pwned!')]

chakrit 2008-09-21 04:19:31

Restricting image extensions doesn't really help that much, since you can just set up a forward on a server and have the browser load any URL you want anyway. But yeah, I agree, using some alternate syntax seems like a much better idea than fighting with HTML sanitization for something like this.

Jeremy Banks 2008-09-21 05:17:32

Bracket syntax removes hacking any part of the tag, but without carefully filtering the src value (whether accepted in html or square bracket syntax) is critical. See http://ha.ckers.org/xss.html for exploits and which browsers are vulnerable respectively.

micahwittman 2008-09-21 05:31:39

Unfortunately, if someone in a comment types an array like Food[1] won't my parser try and turn this into an image?

danmine 2008-09-21 05:45:29

then you'd have to make sure the text inside the square brackets looks like a URL.

chakrit 2008-09-21 06:05:51

Look at this! [javascript:alert('pwnd!')]

porneL 2008-10-16 18:42:38

ok.. edited that in.

chakrit 2008-10-19 21:15:19

Answer 3

A:

If you end up going with a non-HTML format (which makes things easier b/c you can literally escape all HTML), use a standard syntax like markdown. The markdown image syntax is ![alt text](/path/to/image.jpg)

There are others also, like Textile. Its syntax for images is !imageurl!

Jonathan Tran 2008-09-21 04:43:17

Answer 4

A:

@chakrit suggested using a custom syntax, e.g. bracketed URLs - This might very well be the best solution. You DEFINITELY dont want to start messing with parsing etc.
Just make sure you properly encode the entire comment (according to the context - see my answer on this here http://stackoverflow.com/questions/53728/will-html-encoding-prevent-all-kinds-of-xss-attacks#70222)
(btw I just discovered a good example of custom syntax right there... ;-) )

As also mentioned, restrict the file extension to jpg/gif/etc - even though this can be bypassed, and also restrict the protocol (e.g. http://).

Another issue to be considered besides XSS - is CSRF (http://www.owasp.org/index.php/Cross-Site_Request_Forgery). If you're not familiar with this security issue, it basically allows the attacker to force my browser to submit a valid authenticated request to your application, for instance to transfer money or to change my password. If this is hosted on your site, he can anonymously attack any vulnerable application - including yours. (Note that even if other applications are vulnerable, its not your fault they get attacked, but you still dont want to be the exploit host or the source of the attack...). As far as your own site goes, it's that much easier for the attacker to change the users password on your site, for instance.

AviD 2008-09-21 06:12:10

ansaurus

tags:

views:

answers:

How do you allow the usage of an <img> while preventing XSS?

related questions