tags:

views:

34

answers:

2
+1  Q: 

Detecting javascript in HTML

Hi,

I have two applications where users can submit HTML pages. I would like to make sure that no scripts are included in the HTML. Normally you would escape content to get rid of scripts, but as this is HTML I can't do that. Anyone with good suggestions on how to do that? The applications are written in both C# and Java

+1  A: 

The first thing I'd do is see if there is a <script> tag in the HTML. That solves the first issue, then you have to make sure there are no inline onmouseover/onclick etc. events. You could maybe use a DOM Parser to go over all elements and remove all attributes that start with 'on'.

I have little to no experience in both C# as Java, so am unaware of any "easier" solutions that area already available. But maybe someone else here has a better idea for that.

CharlesLeaf  2010-09-29 11:19:40
Usually it's much safer to decide on what you allow, rather than trying to remove the things you disallow.
sje397  2010-09-29 11:25:51
@sje397 I got the impression that he doesn't want to allow any javascript. And you'd still need to "remove" the things you disallow, right? If you do want to allow some javascript there are other security risks (like getting the document.cookie and sending it to a remote location.. session hijacking, location redirection etc.)
CharlesLeaf  2010-09-29 11:32:59
sje397  2010-09-29 11:43:42
Ah then I misunderstood your first comment. I agree with this, that is the best way to go.
CharlesLeaf  2010-09-29 11:46:06
Yes, this is all true. The problem though is that a javascript may come in many different flavors. There are numerous ways of inserting javascripts without using the <script> tag. This is a lot of good examples: http://ha.ckers.org/xss.html
Tomas  2010-09-29 13:09:08
And we also talked about those other ways ;) Another one would be CSS expressions for IE. There are many ways yes.
CharlesLeaf  2010-09-29 13:11:04
+1  A: 

OWASP has a project to scrub html and css

epascarello  2010-09-29 11:21:38
This looks interesting, will have a look at it.
Tomas  2010-09-29 13:11:10

related questions

Autosizing Textarea
Regular expression for parsing links from a webpage?
What are good tools for creating compiled HTML help files (.chm)?
Looking for WYSIWYG HTML editor
Any reason not to start using the HTML 5 doctype?
HTML comments break down
HTML Comments Markup
Setting a div's height in HTML with CSS
Wrapping lists into columns
Is a "Confirm Email" input good practice when user changes email address?
<XMP> Tag
HTML version choice
Options for HTML scraping?
How do you disable browser Autocomplete on web form field / input tag?
How do I make a checkbox toggle from clicking on the text label as well?
Html CSS Editor
Wordpress theme development offline tools
How do I give my web sites an icon for iPhone?
In HTML, how to word-break on a dash?
Detecting font in JavaScript
How do you test layout design across multiple browsers/OSs?
How do I print an HTML document from a web service?
Multiple submit buttons on a HTML form
How can I determine a web user's time zone?
Why doesn't the percentage width child in absolutely positioned parent work in IE7?