What is the fastest setting to only filter for XSS vulnerabilities? (Page 1) — htmLawed

1 Topic by akambat3 2010-02-10 22:28:42

akambat3
Member
Offline

Topic: What is the fastest setting to only filter for XSS vulnerabilities?

Hi patnaik,

Thank you for your awesome code. I was wondering if all you want to do is filter for XSS vulnerabilities and nothing else what would be the setup that optimizes for speed?

I read somewhere on this forum that tag balancing takes up processing power. If we disabled tag balancing will it create a potential security risk?

So if I'm correct, the XSS filter only setup that optimizes for speed:
safe = 1
balance = 0

Are there others to consider?

2 Reply by patnaik 2010-02-11 00:47:08

patnaik
Administrator
Offline

Re: What is the fastest setting to only filter for XSS vulnerabilities?

Thanks for the feedback.

'safe = 1' will take care of the XSS vulnerabilities, though it will disallow usage of elements like 'object' (which are exploited in the vulnerabilities).

'balance = 0' will fasten processing by perhaps a third, but memory usage will not be reduced that much, may be 5%-10%. You can check the figures with sample inputs at the demo page. Tag balancing does not result in the generation of new elements de novo, and elimination of exploitable bad tags/characters is done in the steps prior to it, so disabling balancing should not increase security risks.

I doubt that other default parameters affect processing time/memory requirement irrespective of the nature of the input. (How long htmLawed takes to process an input depends on its length, the number of HTML tags within, etc.).

3 Reply by akambat3 2010-02-11 03:02:00 (edited by akambat3 2010-02-11 03:04:06)

akambat3
Member
Offline

Re: What is the fastest setting to only filter for XSS vulnerabilities?

So just to confirm... the setting I mentioned earlier would deliver the fastest settings for htmLawed if all you're concerned about is ensuring safe content.

If this is something that a lot of people want, pure safety filtering... you could consider a mode such as safe_quick :)

4 Reply by patnaik 2010-02-11 04:49:03

patnaik
Administrator
Offline

Re: What is the fastest setting to only filter for XSS vulnerabilities?

akambat3 wrote:

So just to confirm... the setting I mentioned earlier would deliver the fastest settings for htmLawed if all you're concerned about is ensuring safe content.

Yes.

The 'safe_quick' mode idea sounds interesting, though as a shortcut for just two parameter values, it doesn't seem worthwhile :)

[ Closed ] What is the fastest setting to only filter for XSS vulnerabilities?

Posts: 4

1 Topic by akambat3 2010-02-10 22:28:42

Topic: What is the fastest setting to only filter for XSS vulnerabilities?

2 Reply by patnaik 2010-02-11 00:47:08

Re: What is the fastest setting to only filter for XSS vulnerabilities?

3 Reply by akambat3 2010-02-11 03:02:00 (edited by akambat3 2010-02-11 03:04:06)

Re: What is the fastest setting to only filter for XSS vulnerabilities?

4 Reply by patnaik 2010-02-11 04:49:03

Re: What is the fastest setting to only filter for XSS vulnerabilities?

Posts: 4