W3C home > Mailing lists > Public > www-html@w3.org > August 2002

New html security tag

From: Carlos Paz <capaz@colomsat.net.co>
Date: Fri, 16 Aug 2002 08:55:40 -0500
To: www-html@w3.org
Message-ID: <courier.3D5D045C.000072D4@tomcat.colomsat.net.co>


I'm posting this message here by suggestion of a mozilla team member... 

Sorry about the lengthy post, and please don't get picky on the xhtml 
validity of this proposal, that can be issued later. 

A problem that most web developers must face today is the security risk
involved with the publication of user contributed data on their website
that allows some html formatting tags, since there is a chance that a
malicious user adds some java/javascript code that, when the page is
displayed, steals session information or performs other actions on behalf
of other users browsing the page. 

There isn't yet (AFAIK) a common solution to this problem: not all web
development languages provide a way to block some tags and let others on a
page, and many web developers currently strip out the <javascript> tag on
user's data but fail to check for less known but equally dangerous tags
(like onClick, onMouseOver, etc). 

This seems like a web server application problem, but clients are involved 
on this issue, since the set of dangerous tags depends/is defined/is 
extended/ by the client's browsers. 

Since browsers perform the document parsing and the lexical/semantic 
analysis of the page, and they know which html tags are dangerous on their 
case; adding some extra logic to deal with the problem above shouldn't be 
too difficult, and seems the "natural" place to implement security 

I propose a new tag like this:
web app's html
<p>A user's comment:</p>
<security block="action_tags" id="SECURITY_TAG_ID"

Here goes the user's data, comments, hmtl, etc.
All harmless html code is rendered, but code enabling tags
(java/script,activex and other not known/implemented dangerous tags)
stuff is ignored. 

</security id="SECURITY_TAG_ID">
The rest of the app's html.

The <security> tag explicitly tells the browser to block all code enabling
tags on the enclosed block, this could be refined to something like
"enable only a safe subset of the javascript engine" (enable alert windows
and status bar handling, disable access to cookies, fetching other
documents or altering the form's action attribute), or "only allow this 
tags: <b>,<br> and <em>". 

The "SECURITY_TAG_ID" value on the id attribute is a random and hard to
guess string generated by the web app, stored safely in the browser parsing
engine and used to "authenticate" the closing </security> tag. This would
avoid that a malicious user could close prematurely the security enhanced

The report_to attribute would be used by the browser to report a page
(uri) when there is an attempt to use unauthorized code or an invalid
</security> tag on the corresponding security block. Additional
information like the session's data or type of violation attempted could
be provided. 

This is just a first attempt to define this feature, I believe this tag is 
far from completion, but it would greatly simplify web development. 

Further development, suggestions and corrections are greatly appreciated. 
Received on Friday, 16 August 2002 10:01:51 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 7 January 2015 15:06:00 UTC