Jsoup Standby White List too strict for wysiwyg editor

Question

Jsoup Standby White List too strict for wysiwyg editor

I am trying to use jsoup to disinfect the html sent from wysiwyg in my client (tinymce, as it happens)

Relaxed mode does not seem to be relaxed enough, since by default it breaks span elements and any style attributes.

eg,

String text = "<p style="color: #ff0000;">foobar</p>"; Jsoup.clean(text, Whitelist.relaxed());

displays

 <p>foobar</p>

and

 <span>foobar</span>

will be completely removed.

Does anyone have any experience using Jsoup to eliminate the possibility of XSS attacks and still allow these elements and attributes through?

Edit: I went with the following. Can anyone tell me how vulnerable this is?

 Jsoup.clean(pitch, Whitelist.relaxed().addTags("span").addAttributes(":all","style"));

Edit 2: Has anyone used the owasp library in production. It looks to be sanitized properly while maintaining the right style. OWASP

+8

java security xss jsoup wysiwyg

jaseFace Feb 09 '12 at 14:59

source share

1 answer

B. Anderson · Accepted Answer · 2012-02-09T17:22:07+0000

It seems that XSS can be used with the style attribute.

XSS Attributes and Style Attributes

http://www.thespanner.co.uk/2007/11/26/ultimate-xss-css-injection/

http://www.acunetix.com/websitesecurity/cross-site-scripting.htm (See the DIV section, which I thought would work the same for SPAN)

Here is the code I wrote to check the example in the last link ..

  text = "<span style=\"width: expression(alert('XSS'));\">"; System.out.println(Jsoup.clean(text, org.jsoup.safety.Whitelist.relaxed().addTags("span").addAttributes(":all","style")));

It outputs the input accurately. If this is really an XSS vector, you can still be in trouble.

Jsoup Standby White List too strict for wysiwyg editor

More articles: