W3C home > Mailing lists > Public > whatwg@whatwg.org > June 2010

[whatwg] idea about html code security anti xss

From: Ashley Sheridan <ash@ashleysheridan.co.uk>
Date: Wed, 16 Jun 2010 02:27:47 +0100
Message-ID: <1276651667.2219.45.camel@localhost>
On Wed, 2010-06-16 at 03:19 +0200, gabmeyer at westweb.at wrote:

> Hello,
> 
> I had just this idea after reading so much about xss and code injection.
> 
> I think there is a simple solution:
> 
> 1.)
> I now invent an attribute called strlen=""
> 
> I append this to a <div strlen="94843">htmlcode with strlen of 94843 bytes including whitespace</div>
> 
> The browser know knows the exact position where the divtag must end.
> 
> You cannot inject some code that closes the tag before.
> 
> 2.) 
> you can now control the code inside the div.
> you can also append a second attribute called "secure" that prevents any scriptcode to run from inside the div.
> 
> 
> Maybe this idea is not new, or does not work.
> 
> Please let me know what you think about this idea.
> 
> Christian Gabmeyer 
> 
> 
> 
> 
> 


Your strlen attribute won't solve the issue, as the server-side script
that will be generating that figure has already ignored the XSS code (if
it wasn't missing it, there wouldn't be a problem in the first place!)

Second, I don't think an attribute is going to work to prevent script
running. What if you had your own script event handlers there? Also,
what about attacks which will leave your tags closed off and open new
ones?

Person inserts their name as '</a><a href="badsite">Bob</a>' (without
the single quotes) which gets shoved into a database someplace and then
output later on a page inside a link tag to their profile page (for
example), so instead of <a href="profile">Bob</a>, you get <a
href="profile"></a><a href="badsite">Bob</a>.

Very simple example, where no script is being run, but still bad code.
This is an issue which needs more attention on the server-side of things
I feel.

Thanks,
Ash
http://www.ashleysheridan.co.uk


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.whatwg.org/pipermail/whatwg-whatwg.org/attachments/20100616/9ac4f4f3/attachment.htm>
Received on Tuesday, 15 June 2010 18:27:47 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:24 UTC