W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2014

Re: HTML imports: new XSS hole?

From: Boris Zbarsky <bzbarsky@MIT.EDU>
Date: Mon, 02 Jun 2014 23:34:18 -0400
Message-ID: <538D423A.8090404@mit.edu>
To: public-webapps@w3.org
On 6/2/14, 11:17 PM, Eduardo' Vela" <Nava> wrote:
> Now, I'm not sure how many have tried to implement an HTML sanitizers.

I've reviewed Gecko's implementation of one, if that counts...

>   1. You have to write a parser OR You have to use a third-party parser.

Wasn't an issue for us obviously.

>   2. You have to get a serializer.

Likewise.

>   3. You need a sane whitelist.

This was a pain.

>    3.1 And the whitelist, apparently, needs to be aware of not just
> <tag/attribute> pairs, but also <tag/attribute + rel="stylesheet"> geez!

And this.  We actually rip out all @rel values specifically on <link> 
elements, because we in fact do not want to allow rel="stylesheet" (but 
we do want to allow we do allow @rel on other elements)....

I agree with your general point, though, which is that writing a good 
sanitizer is pretty nontrivial.

-Boris
Received on Tuesday, 3 June 2014 03:34:47 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:14:24 UTC