sami
sami

Reputation: 7645

How to prevent malformed tags for XSS

I read a comment about malformed tags being used for XSS attacks. How am I supposed to sanitize against these. If I use a library like HTMLPurifier, does it take of this as part of its work? or is this an independent thing? I don't hear people talking about it much.

Upvotes: 4

Views: 1001

Answers (4)

rook
rook

Reputation: 67019

In this case HTMLPurifer is overkill. If XSS is within a tag then you can inject a javascript event without the need of <>. Recently this happened to twitter. The answer is to use htmlspecialchars($var,ENT_QUOTES);.

Upvotes: 0

cyber-guard
cyber-guard

Reputation: 1846

In this time and age, to protect yourself fully and completely against XSS, you will need to whitelist rather than blacklist, which HTML Purifier provides. Not only that if put into wrong context even htmlspecialchars($var,ENT_QUOTES); won't help you, as there are many ways to avoid using both html tags and quotes(stringFromChar, using backslashes), you also have to consider different browser charset, which could allow e.g. this attack in UTF-7 \\\+ADw-script+AD4-alert(/xss/)+ADw-/script+AD4---//-- to be executed. Although HTMLPurifier does have big overheads, it is a simple non technical way to prevent XSS attacks (although there have been and I believe will have been holes in their filters too).

Upvotes: 0

Edward Z. Yang
Edward Z. Yang

Reputation: 26742

Part of HTML Purifier's design philosophy is to only output standards compliant HTML, in order to minimize variance in browser interpretation. Thus, HTML Purifier will never output malformed tags.

Upvotes: 2

user372743
user372743

Reputation:

HTMLPurifier will in fact sanitize for XSS.

Upvotes: 0

Related Questions