views:

132

answers:

3

I'm using HTMLPurifier to check for XSS in an entire HTML document. The problem is that it appears to strip out anyything that isn’t inside <body> tags. But, I want to keep everything, just look out for serious XSS attacks.

Any ideas how to allow <HTML>, <HEAD>, <META> etc.?

A: 

Remember that you can construct an XSS attack that runs from 'head'.

Rich Bradshaw
+2  A: 

David, I just searched on the HTMLPurifier support forum and saw that you've been busy.

But perhaps you missed the posting from a few months ago that addresses your exact issue, specifically the reply:

Full document support will (ostensibly) come some time in the HTML Purifier 5.x series; we don't actually have the parsing code necessary to actually deal with full HTML documents.

Until then, you'll want to capture your head and DTD and re-add it to the purified doc.

Anthony
A: 

You can tell HTML Purifier what tag the purified code will be inside (it defaults to 'div'). Setting this to 'span' would block all block-level tags. You could experiment with setting it to 'body', or even to 'html'.

TRiG