W3C home > Mailing lists > Public > www-html@w3.org > September 2002

RE: New security tag

From: Rowland Shaw <Rowland.Shaw@crystaldecisions.com>
Date: Wed, 11 Sep 2002 00:18:10 -0700
Message-ID: <963A03BCAFF059488BAFF33AE5C8709774BC6C@IPSENT04>
To: "'Carlos Paz'" <capaz@iote.net>, www-html@w3.org

Isn't this what you suggested on 16th August 2002?

-----Original Message-----
From: Carlos Paz [mailto:capaz@iote.net] 
Sent: 10 September 2002 19:58
To: www-html@w3.org
Subject: New security tag


I'm posting this message here by suggestion of a mozilla development team 
member (I got kicked out when I posted this as a desired feature in mozilla 
;-)... 

Sorry about the lengthy post, and please don't get picky on the xhtml 
validity of this proposal, that can be issued later. 

A problem that most web developers must face sometime is the security risk
involved with the publication of user contributed data on their website
that allows some html formatting tags, since there is a chance that a
malicious user adds some java/javascript code that, when the page is
displayed, steals session information or performs other actions on behalf
of other users browsing the page. 

There isn't yet (AFAIK) a universal solution to this problem: not all web
development languages provide a way to block some tags and let others on a
page, and many web developers currently strip out the <javascript> tag on
user's data but fail to check for less known but equally dangerous tags
(like onClick, onMouseOver, etc). 

Even though this seems like a server side problem, I think that clients
are involved on this issue too, since some code enabling tags are specific
to some browsers (IE's activex, for example) and since they do all the
document parsing and the lexical/semantic analysis of the page; adding
some extra logic to deal with the problem above shouldn't be too
difficult. 

I propose a new tag like this:
 ------------------------------
<html>
...
web app's html
...
<p>A user's comment:</p>
<security block="action_tags" id="SECURITY_TAG_ID"
report_to="/security.php"> 

Here goes the user's data, comments, hmtl, etc.
All harmless html code is rendered, but code enabling tags
(java/script,activex, etc) stuff is ignored. 

</security id="SECURITY_TAG_ID">
...
The rest of the app's html.
...
</html>
 ------------------------------ 

The <security> tag explicitly tells the browser to block all code enabling
tags on the enclosed block, this could be refined to something like
"enable only a safe subset of the javascript engine" (enable alert windows
and status bar handling, disable access to cookies, fetching other
documents or altering the form's action attribute) 

The "SECURITY_TAG_ID" value on the id attribute is a random and hard to
guess string generated by the web app stored safely in the browser parsing
engine, used to "authenticate" the closing </security> tag. This would
avoid that a malicious user could close prematurely the security enhanced
block. 

The report_to attribute would be used by the browser to report a page
(uri) when there is an attempt to use unauthorized code or an invalid
</security> tag on the corresponding security block. Additional
information like the session's data or kind of violation attempted could
be provided. 

This is just a first attempt to define this feature, further development,
suggestions and corrections are greatly appreciated. 
Received on Wednesday, 11 September 2002 03:18:43 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 27 March 2012 18:15:52 GMT