How to Prevent Invalid Tags for XSS

Question

How to Prevent Invalid Tags for XSS

I read a comment about the wrong tags used for XSS attacks. How should I sanitize with them. If I use a library such as HTMLPurifier, do I need to do this as part of my work? or is it an independent thing? I have not heard people talk a lot about this.

+4

security xss filtering htmlpurifier malformed

sami Nov 19 '10 at 20:16

source share

4 answers

HTMLPurifier is actually misinforming for XSS.

0

Glenn nelson Nov 19 '10 at 20:20

source share

In this case, HTMLPurifer is redundant. If XSS is inside the tag, you can introduce a javascript event without the need for <> . This recently happened on twitter . The answer is to use htmlspecialchars($var,ENT_QUOTES); .

0

rook Nov 19 '10 at 22:34

source share

During this time and age, in order to fully and completely protect yourself from XSS, you will need to use the whitelist rather than the blacklist provided by the HTML cleaner. Not only in the case of the wrong context, even htmlspecialchars($var,ENT_QUOTES); it will not help you, since there are many ways to avoid using both html tags and quotes (stringFromChar using a backslash), you also need to consider various browser encodings, which this attack in UTF-7 \\\+ADw-script+AD4-alert(/xss/)+ADw-/script+AD4---//-- can allow for example \\\+ADw-script+AD4-alert(/xss/)+ADw-/script+AD4---//-- will be executed. Although HTMLPurifier does have a lot of overhead, it is a simple non-technical way to prevent XSS attacks (although there were, and I believe, holes will be in them too).

0

cyber guard Nov 20 '10 at 1:21

source share

Edward Z. Yang · Accepted Answer · 2010-11-19T22:06:44+0000

Part of the design philosophy of the HTML cleaner is to display only standards that are compliant with HTML standards in order to minimize deviations in browser interpretation. This way, an HTML cleaner will never output invalid tags.

How to Prevent Invalid Tags for XSS

More articles: