Seva Alekseyev
Reputation: 61388
Sanitizing HTML by URLEncoding the attribute values
I'm looking at the source of a third party HTML sanitizer. After parsing the HTML into a DOM tree, the code does two things:
- Deletes all elements and attributes not on the whitelist
- Encodes all attribute values with
UrlPathEncode
What is the latter for, what kind of attack is it meant to prevent? Some flavor of XSS most likely, but which pathway? Sneaking JavaScript in event handler attributes will be prevented by the white list, won't it?
Meanwhile, unconditional url-encoding of all attributes will mess up some user visible text, like alt on images and title on links. The browser doesn't url-decode those, I've checked.
Upvotes: 1
Views: 348
Answers (0)
Related Questions
- Sanitizing untrusted HTML5
- Sanitizing HTML input value
- Security implication of allowing attributes while sanitising HTML using DOMPurify
- Javascript sanitization: The most safe way to insert possible XSS html string
- HTML and Attribute encoding
- Sanitizing html string with javascript using browser to interpret html
- Sanitizing inputs with AEM
- Sanitizing user input when creating HTML elements
- Sanitize all scripts from html string
- HTML Purifier against external resources