I've often wondered -- why use a whitelist as opposed to a blacklist when sanitizing HTML input?
How many sneaky HTML tricks are there to open XSS vulnerabilities? Obviously script tags and frames are not allowed, and a whitelist would be used on the fields in HTML elements, but why disallow most of everything?
If you leave something off a whitelist, then you just break something that wasn't important enough for you to think about in the first place.
If you leave something off a blacklist, then you've opened a big security hole.
If browsers add new features, then your blacklist becomes out of date.
Just read something about that yesterday. It's in the manual of feedparser.
A snippet:
The more I investigate, the more cases I find where Internet Explorer for Windows will treat seemingly innocuous markup as code and blithely execute it. This is why Universal Feed Parser uses a whitelist and not a blacklist. I am reasonably confident that none of the elements or attributes on the whitelist are security risks. I am not at all confident about elements or attributes that I have not explicitly investigated. And I have no confidence at all in my ability to detect strings within attribute values that Internet Explorer for Windows will treat as executable code. I will not attempt to preserve “just the good styles”. All styles are stripped.
There is a serious risk if you only blacklist some elements, and forget an important one. When you whitelist some tags you know are secure, the risk is smaller in letting something in which can be abused.
Even though script tags and frame tags are not allowed, you still can put any tag like this
<test onmouseover=alert(/XSS/)>mouse over this</test>
and many browsers works.
Because then you are sure that you don't miss anything. By explicitly allowing some tags you have obviously more control about what is allowed.
Whitelists are used in most security related topics. Think about firewalls. The first rule is to block any (incoming) traffic and then only open ports that are supposed to be open. This makes it far more secure.
Because other tags can break the layout of a page. Imagine what would happen if someone injects <style>
tag. <object>
tag is also dangerous.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With