Issues with Inputs with Encoded Entities and HTML Attributes

[nat4tq]

Hi,

I was testing the filter against a set of XSS test inputs. It seems that your filter is still vulnerable to XSS such as with inputs that contain XSS payloads in the HTML tags. Examples are:

<a href="jAvAsCrIpT&colon;alert&lpar;1&rpar;">X</a>
<img src=xx:xx" on error="alert(1);">, where it filters the on error="alert(1);" but not the <img src=xx:xx".

I kindly suggest that the whitelist used by the filter restricts tags with these attributes and events to make it more robust against XSS. Also, due to the Integer.decode() API, the filter outputs an error with inputs that contain #09, for example:
<A HREF="h tt p://6&#09;6.000146.0x7.147/">XSS</A>

A full report can be read in our paper, "Assessment of Dynamic Open-source Cross-site Scripting Filters as Security Devices in Web Applications".

Thank you.