W3C home > Mailing lists > Public > public-htmail@w3.org > November 2014

(unknown charset) Re: "cleaning HTML for security"

From: (unknown charset) Neil Jenkins <帄U>
Date: Mon, 17 Nov 2014 13:45:06 +0700
Message-Id: <1416206706.3091330.191802645.7BFD95D5@webmail.messagingengine.com>
To: (unknown charset) public-htmail@w3.org

For a generic API, I would say the main thing is to remove all forms of
scripting (<script> tags, onX attributes, etc.) and all references to
external plugins; these are security holes if they are allowed to run
in the context of your application and are impossible to reliably
sanitise. Browsers implementing this have a huge advantage in that they
already have a full HTML5 parser, so if they need to sanitise an HTML
string they can use this to parse out a tree, then it is trivial to
walk the tree and use a whitelist of allowed tags and attributes to
strip out any scripting elements before serialising it again. External
systems doing this need to be wary of all the ways they can be tricked
into parsing something one way, only for the browser to interpret it
differently, making what you thought was a safe string suddenly be
inside a script tag etc.

One thing I would say is <noscript> contents should be *included* (since
you're removing the scripting) but the tags themselves removed (since it
will probably be injected into a context that *does* support scripting).
We once had a security bug due to the unexpected interaction between
<noscript> and comment tags.

CSS is a tricky one; what should be allowed depends on the context
it will be inserted into. In a webmail system you have to be careful
to avoid conflict with existing styles and not allow the content to
draw over your UI, which could lead to phishing attacks. iframes can
be used to sandbox content, but bring a whole world of other
problems unfortunately. However, the nice thing about CSS is that
the JS of the application handling the paste can be used to sanitise
the CSS as required, so I don't think it's necessary to do this at
the browser level.

Neil.
Received on Monday, 17 November 2014 06:45:29 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:54:17 UTC