Hi
I just don't know what to think anymore. It seems like the people who made javascript went out of their way to allow it to be written a million different ways so hackers can have a field day.
I finally got my white list up by using html agility pack. It should remove
<scrpit></script>
As it is not in my white list plus any onclick,onmouse and etc.
However now it seems you can write javascript in the attribute tags.
<IMG SRC="javascript:alert('hi');">
and since I allow SRC attributes my white list can't help me on this. So I came up with the idea to go through all valid attributes at the end and look inside them.
So it would find all my allowed attributes for every html tag( so src,href and etc).
I then found the innertext and put it to lowercase. I then did a index check on this string for "javascript".
If an index was found I started at that index and removed every character from that index on. So in the above case the attribute would be left with Src="".
Now it seems that is not good enough since you can do something like
java script jav ascript
and probably a space between every letter.
So I don't know how to stop it. If it was just a space between java and script then I could just write a simple regex that did not care how many spaces between. But if it is really that you can put a space or tab or whatever after each letter then I have no clue.
Then to top it off you can do all these other great ways too
<IMG SRC=javascript:alert('XSS')> // will work apparently
<IMG SRC=javascript:alert('XSS')> // will work apparently
<IMG SRC="jav ascript:alert('XSS');"> // will work apparently
<IMG SRC="jav	ascript:alert('XSS');">// will work apparently
<IMG SRC="jav
ascript:alert('XSS');"> // will work apparently
<IMG SRC="jav
ascript:alert('XSS');"> // will work apparently
I know this is for some cross scripting attack( I am not making an XSS asp.net mvc does a good job of this already) but I don't see why it can't be use for other things like like in all those examples it makes alerts so it could be used for something else.
So I have no clue how to check and remove any of these.
I am using C# but I don't know how to stop any of these and don't know of anything in C# that could help me out.