tags:

views:

62

answers:

4
+2  Q: 

Disabling javascript in specific block/div (containing suspect HTML) ?

Is it, in any way, possible to disable the browsers execution of script inside a block/section/element ?

My scenario is, that I'm letting my (future) users create "rich content" (using CK-editor). Content that wil later be shown to other users - with all the dangers that imply: xss, redirection, identity theft, spam and what not...

I've, more or less, given up on trying to "sanitize" the incomming XHTML, after seeing how many known "vectors of attack" there are: http://ha.ckers.org/xss.html

What I'm really looking for is something like:

< div id="userContent">< scriptOFF>

suspect HTML

< /scriptOFF>< /div>

+3  A: 

You have to sanitize the input, there is no way to selectively disable javascript that I know of.

It is important to use a whitelist of allowed tags, not a blacklist. That way it should be possible to do it safely.

Fabian  2010-06-15 11:01:27
+1  A: 

Yes, but that would "whitelist" would be HUGE - and I'm far from competent enough to detect subtle loopholes, alá those described here: http://ha.ckers.org/xss.html

This would need to be a "community effort" - looking at HTML-purifier (http://htmlpurifier.org) now...

I just thought it would be great to have such a tag to prevent 99% of the XSS "vectors"

  • Can "anyone in power" please convince the browser-makers to implement it : )

Edit: Alright. HTML-purifier it is! - thanks to everybody for replying : )

T4NK3R  2010-06-15 11:49:49
Browser implementers *are* thinking about it - search for "html5 iframe sandbox". It will take years for it to become widespread, and by then attackers would move over to other browser vulnerabilities.
sri  2010-06-15 11:58:21
Security should (almost) never be enforced on the client! What would happen if someone visits your site with an older browser that does not yet support this?
Fabian  2010-06-15 12:00:35
+2  A: 

The ideal way is to not accept html/javascript from the end users. If you are okay with that limitation, you just need to make sure you encode the output according to the appropriate context. Don't re-invent the wheel, just use an existing library for that purpose.

But if you must accept HTML, use a library like OWASP's ANTI-SAMY or HTML Purifier. They were built exactly for this purpose.

sri  2010-06-15 11:51:34
HTML-purifier it is - and works perfectly (as far as I can see) :)- also it's recommended by OWASP.
T4NK3R  2010-06-22 20:36:36
+1  A: 

Even if you used a "noscript" tag or a "textarea" tag its sill xss. Whats keeping the attacker from injecting closing tags? 

< div id="userContent">< scriptOFF>

<?=$_GET['xss']?>

< /scriptOFF>< /div>

But its still xss:

http://localhost/xss.php?xss=&lt; /scriptOFF>< /div> <script> alert(/still_xss/) </script>
Rook  2010-06-15 15:42:08

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security