1 Topic by Specks

  • Specks
  • Member
  • Offline

Topic: White listing tags and making style tag safe?

The docs are a bit confusing but I thing I got it. The code below is what I've done but I'm not sure if I need to do anything more to make it safe so no one can do any XSS.

$LawedConfig - array(
    'comment' => 1, 'cdata' => 1, 'elements' => "-* a, b, br, p, pre, i, u, em, strong, marquee, span, div, style", 'balance' => 1, 'clean_ms_char' => 1, 'hexdec_entity' => 0, 'keep_bad' => 0, 'safe' => 1, 'deny_attribute' => 'on*, style'
);

Those are the only tags I want to allow. However I need to make sure that XSS can't be done with those tags. Is there anything else I need to do?

Thanks for making this.

Specks

2 Reply by patnaik

  • patnaik
  • Administrator
  • Offline

Re: White listing tags and making style tag safe?

I've tried to make the documentation clearer in the new, 1.0.7 release.

You have many of the $config parameters set correctly, but I think you can shorten the $config parameter value to:

'comment' => 1, 'cdata' => 1, 'safe' => 1, 'deny_attribute' => 'style', 
'elements' => 'a, b, br, p, pre, i, u, em, strong, span, div', 
'clean_ms_char' => 1, 'hexdec_entity' => 0, 'keep_bad' => 0

The reasoning:

* 'safe' is a super-directive and you have enabled it. That auto-adjusts 'comments' and 'cdata' to 0 but you (want to) over-ride that using 'comment' => 1, 'cdata' => 1.

* 'safe' auto-adjusts 'deny_attribute' to 'on*' so 'onmouseover', etc., are not permitted. It also causes htmLawed to reject all protocols in 'style' attribute values, so specifying 'deny_attribute' manually may not be needed, unless you want to deny 'style' altogether using 'deny_attribute' => 'style'. The 'on*' need not be mentioned as 'safe' ensures htmLawed will consider the on* attributes denied.

* Setting 'balance' to 1 is unnecessary as that being the default value, 'balance' need not be specified. On the other hand, e.g., 'keep_bad' defaults to 6 but you want 0 and thus specify it.

* For 'elements', 'marquee' and 'style' are not HTML elements covered by htmLawed. Also, the comma-separated notation is used when not specifying the element-set with respect to the full element-set (denoted by *). The '-*' that you use is not required; it in fact will cause a misread as a result of which 'a' will not be permitted. In general, '*' or '+' or '-' should not occur in the value when elements are specified using comma-separated values. Those characters hold meaning only when referring to the default element set (which will exclude 'script', etc., when 'safe' is turned on) and adding/subtracting elements from it.

As for the anti-XSS efficacy of your $config value, I cannot guarantee, but I can say that with that value htmLawed will be the most aggressive towards XSS. If you feel like experimenting, try the various XSS attack codes detailed here (http://ha.ckers.org/xss.html) on the htmLawed demo page.

3 Reply by Specks

  • Specks
  • Member
  • Offline

Re: White listing tags and making style tag safe?

Thanks for the reply. I set the config just like you had it. It works great with one exception. It's still letting style through on the tags though.

4 Reply by patnaik

  • patnaik
  • Administrator
  • Offline

Re: White listing tags and making style tag safe?

Thanks for pointing this out. The code in that release of htmLawed has a comma missing. You can download the latest release or edit the code in your copy of htmlawed.

Line 42 of htmLawed.php should have this in it (note the comma):

... (!empty($cf['safe']) ? ',on*' : '') ...

5 Reply by patnaik

  • patnaik
  • Administrator
  • Offline

Re: White listing tags and making style tag safe?

Web-page illustrating anti-XSS efficacy of htmLawed with 'safe'=>1 against XSS code listed in RSnake's XSS cheat-sheet (http://ha.ckers.org/xss.html).

Also see this post.