Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Why use a whitelist for HTML sanitizing?

Tags:

html

xss

whitelist

I've often wondered -- why use a whitelist as opposed to a blacklist when sanitizing HTML input?

How many sneaky HTML tricks are there to open XSS vulnerabilities? Obviously script tags and frames are not allowed, and a whitelist would be used on the fields in HTML elements, but why disallow most of everything?

like image 614
Carson Myers Avatar asked Mar 19 '10 08:03

Carson Myers

5 Answers

If you leave something off a whitelist, then you just break something that wasn't important enough for you to think about in the first place.

If you leave something off a blacklist, then you've opened a big security hole.

If browsers add new features, then your blacklist becomes out of date.

like image 192
Quentin Avatar answered Oct 19 '22 04:10

Quentin

Just read something about that yesterday. It's in the manual of feedparser.

A snippet:

The more I investigate, the more cases I find where Internet Explorer for Windows will treat seemingly innocuous markup as code and blithely execute it. This is why Universal Feed Parser uses a whitelist and not a blacklist. I am reasonably confident that none of the elements or attributes on the whitelist are security risks. I am not at all confident about elements or attributes that I have not explicitly investigated. And I have no confidence at all in my ability to detect strings within attribute values that Internet Explorer for Windows will treat as executable code. I will not attempt to preserve “just the good styles”. All styles are stripped.

There is a serious risk if you only blacklist some elements, and forget an important one. When you whitelist some tags you know are secure, the risk is smaller in letting something in which can be abused.

like image 45
Ikke Avatar answered Oct 19 '22 03:10

Ikke

Even though script tags and frame tags are not allowed, you still can put any tag like this

<test onmouseover=alert(/XSS/)>mouse over this</test>

and many browsers works.

like image 5
YOU Avatar answered Oct 19 '22 05:10

YOU

Because then you are sure that you don't miss anything. By explicitly allowing some tags you have obviously more control about what is allowed.

Whitelists are used in most security related topics. Think about firewalls. The first rule is to block any (incoming) traffic and then only open ports that are supposed to be open. This makes it far more secure.

like image 3
Felix Kling Avatar answered Oct 19 '22 04:10

Felix Kling

Because other tags can break the layout of a page. Imagine what would happen if someone injects <style> tag. <object> tag is also dangerous.

like image 2
Pavel Nikolov Avatar answered Oct 19 '22 04:10

Pavel Nikolov
Sign in to Comment

Related questions

Jquery Mobile Slider change event
jQuery UI Accordion - Each Panel Fit To Contents
How to make input autofocus in internet explorer?
How to append a space after an element
How to forcefully print background image in HTML?
displaying a message after redirecting the user to another web page
How to limit input text length using CSS3? [duplicate]
a:hover color is not working
Remove border outline that appears after I click an element on my page
How to resolve "Uncaught TypeError: Failed to construct 'Comment': Please use the 'new' operat....." with respect to React JS?
JQuery Add click event to radio input text
Remove body element
jquery, add div with class definition
Stop div from shifting down when text is added
How to print a page in PHP to print using printer same as window.print() works
Relationship between HTML and javascript. The basics of frontend development
I want to create a small square colour filled box in HTML & CSS. And most important - I want to write one line after the box
Vue3 "export 'createWebHistory, createRouter' was not found in 'vue-router'
both of the radio buttons can be selected
row counter for html table row

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!