good chemistry is complicated, and a little bit messy -LW |
|
PerlMonks |
Safe CSS Stylesheetsby osfameron (Hermit) |
on May 14, 2002 at 19:47 UTC ( [id://166560]=perlquestion: print w/replies, xml ) | Need Help?? |
osfameron has asked for the wisdom of the Perl Monks concerning the following question:
After I read the recent post about Cross Site
Scripting attacks, I sat down and wrote an HTML filter to make user-submitted HTML safe (using HTML::Parser).
Then I read some more posts, and followed some links (I particularly liked
this one) and then got scared.
You can call malicious code from an <IMG> tag??!! And even stranger, from a <STYLE> tag... (well, I thought it was strange, because STYLE is for, um, formatting, not for running code, but of course this allows for dynamically generated styles). So, for plain HTML, I think I now know what I can do: I will add the necessary filtering ability to my self-rolled version, test it against the exploits listed in the various articles, and if it doesn't come up to scratch, I'll use HTML::TagFilter as recommended by some (Hell, I'll maybe use that anyway, but this is the first time I've been able to get HTML::Parser to do anything useful, so I'm enjoying reinventing this wheel...) But if I want users to be able to submit their own Stylesheets, how do I parse the CSS entry to make sure they aren't adding malicious code? Can I just filter out @ and expression()? Surely there must be a pre-rolled solution? (I found CSS::SAC which looks like a CSS parser, but didn't seem to have any documentation on how to use it for this kind of eventuality. I think that one suggestion involved creating a user interface to limit what CSS is entered, which I don't want to have to do if I can avoid it!! Cheerio!
Back to
Seekers of Perl Wisdom
|
|