tags:

views:

187

answers:

5
+1  Q: 

Why use a whitelist for HTML sanitizing?

I've often wondered -- why use a whitelist as opposed to a blacklist when sanitizing HTML input?

How many sneaky HTML tricks are there to open XSS vulnerabilities? Obviously script tags and frames are not allowed, and a whitelist would be used on the fields in HTML elements, but why disallow most of everything?

+3  A: 

Just read something about that yesterday. It's in the manual of feedparser.

A snippet:

The more I investigate, the more cases I find where Internet Explorer for Windows will treat seemingly innocuous markup as code and blithely execute it. This is why Universal Feed Parser uses a whitelist and not a blacklist. I am reasonably confident that none of the elements or attributes on the whitelist are security risks. I am not at all confident about elements or attributes that I have not explicitly investigated. And I have no confidence at all in my ability to detect strings within attribute values that Internet Explorer for Windows will treat as executable code. I will not attempt to preserve “just the good styles”. All styles are stripped.

There is a serious risk if you only blacklist some elements, and forget an important one. When you whitelist some tags you know are secure, the risk is smaller in letting something in which can be abused.

Ikke  2010-03-19 08:12:34
A good point, although I can't think of anything that could cause security risks off the top of my head, that I don't already know about. Could you provide a resource to such seemingly innocent but somehow exploitable HTML elements?
Carson Myers  2010-03-19 08:17:26
@Carson - yes, but what about the new exploit that comes along tomorrow? If you've got a tight whitelist - no updates required. If you've got a blacklist in 30 applications - lots of updates
Damien_The_Unbeliever  2010-03-19 08:20:42
+2  A: 

Because other tags can break the layout of a page. Imagine what would happen if someone injects <style> tag. <object> tag is also dangerous.

Pavel Nikolov  2010-03-19 08:13:09
That's true, `</div>` could do it also I suppose
Carson Myers  2010-03-19 08:16:29
This doesn't really answer the question, a blacklist could stop those tags too.
Andy E  2010-03-19 08:17:27
@Andy it could but I think this also adds to the point that there's _so many things_ to consider that it's far too easy to write something off as safe. Obviously style tags would be disallowed, but to be honest I might have forgotten that `<object>` even exists
Carson Myers  2010-03-19 08:20:28
+10  A: 

If you leave something off a whitelist, then you just break something that wasn't important enough for you to think about in the first place.

If you leave something off a blacklist, then you've opened a big security hole.

If browsers add new features, then your blacklist becomes out of date.

David Dorward  2010-03-19 08:14:57
Ah -- the 'less room for human error' aspect had occurred to me (and of course I use a whitelist), I'm just curious about how fundamental this part of security really is
Carson Myers  2010-03-19 08:18:31
@Carson: The fundamental part is the "if browsers add new features". There's just *no* way for you to predict this. One might also argue that catering to human error is *the* fundamental idea of security in general, hence the "if you leave something off a whitelist".
sleske  2010-03-19 08:33:14
Also, even if you keep on top of new browser features, there's the problem of undocumented features (see e.g. Ikke's answer), which might bite you.
sleske  2010-03-19 08:33:53
+3  A: 

Because then you are sure that you don't miss anything. By explicitly allowing some tags you have obviously more control about what is allowed.

Whitelists are used in most security related topics. Think about firewalls. The first rule is to block any (incoming) traffic and then only open ports that are supposed to be open. This makes it far more secure.

Felix Kling  2010-03-19 08:15:48
+2  A: 

Even though script tags and frame tags are not allowed, you still can put any tag like this

<test onmouseover=alert(/XSS/)>mouse over this</test>

and many browsers works.

S.Mark  2010-03-19 08:26:27
this is a good example, but of course with whitelisting or blacklisting, element fields like "onmouseover" and the like would be stripped from tags anyway
Carson Myers  2010-03-19 08:39:22
True, I just wanted to mention about tags, onmouseover is just the one come out on my mind at the moment.
S.Mark  2010-03-19 08:43:08

related questions

Autosizing Textarea
Regular expression for parsing links from a webpage?
What are good tools for creating compiled HTML help files (.chm)?
Looking for WYSIWYG HTML editor
Any reason not to start using the HTML 5 doctype?
HTML comments break down
HTML Comments Markup
Setting a div's height in HTML with CSS
Wrapping lists into columns
Is a "Confirm Email" input good practice when user changes email address?
<XMP> Tag
HTML version choice
Options for HTML scraping?
How do you disable browser Autocomplete on web form field / input tag?
How do I make a checkbox toggle from clicking on the text label as well?
Html CSS Editor
Wordpress theme development offline tools
How do I give my web sites an icon for iPhone?
In HTML, how to word-break on a dash?
Detecting font in JavaScript
How do you test layout design across multiple browsers/OSs?
How do I print an HTML document from a web service?
Multiple submit buttons on a HTML form
How can I determine a web user's time zone?
Why doesn't the percentage width child in absolutely positioned parent work in IE7?