How to avoid XSS when loading HTML?

Question

How to avoid XSS when loading HTML?

We have an internal web application that acts as a repository to which users can upload files. These files can be of any format, including HTML pages.

We tested than in IE8, if you upload an HTML file containing several scripts that try to access your cookies, and after downloading you select the "Open" option, the script executes and receives your cookie information without any problems.

Actually, the script can use the XmlHttpRequest object to call the server and perform some malicious operations in the session of the user who uploaded the file.

Is there any way to avoid this? We tested that both Chrome and Firefox do not allow this to happen. How can I avoid this behavior in any browser, including IE8?

+5

javascript internet-explorer-8 xss

German latorre Oct 13 '10 at 10:53

source share

3 answers

. , , HTTP Content-disposition: attachment , . Apache Header set Content-disposition "attachment" .htaccess.

, Content-type: text/plain, , Internet Explorer. IE text/plain content-type, MIME-, ( /plain ). HTML- , text/html .

+4

p0deje 20 . '10 14:44

, HTML , , HTML mime type/plain, text/html .

. apache, . AddType.

+1

Kristian J. 13 . '10 11:14

Noon Silk · Accepted Answer · 2010-10-13T10:56:22+0000

Do not allow the download of meaningful content. This is an extremely scary idea.

One potential “solution” could be to place only untrusted downloads in a domain that does not have cookies and that the user in no way binds any trust. That would be a "solution", but certainly not ideal.

, , , /.

, , , .

How to avoid XSS when loading HTML?

More articles: