Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

disslow xss vectors from style attribute #14

Closed
GoogleCodeExporter opened this issue Apr 27, 2015 · 4 comments
Closed

disslow xss vectors from style attribute #14

GoogleCodeExporter opened this issue Apr 27, 2015 · 4 comments
Labels
auto-migrated Priority-Medium Type-Defect

Comments

@GoogleCodeExporter
Copy link 

There are known Style Attribute XSS attacks like:

<DIV STYLE="color: red; width: expression(alert('XSS')); background-image: 
url('expression.png') ">
Or

<DIV STYLE="background-image: url(javascript:alert('XSS'));  border-image: 
url(images/javascript.png) 30 round round;">


And i need to satinaze html to this:
<DIV STYLE="color: red; background-image: url('expression.png') ">
Or

<DIV STYLE="border-image: url(images/javascript.png) 30 round round;">



Is this librarry cover such options?

Original issue reported on code.google.com by h6.msan...@gmail.com on 19 Jun 2013 at 1:02
@GoogleCodeExporter
Copy link
Author 

Also i care about "src" tag
in case of

<DIV STYLE="border-image: url(images/javascript.png) 30 round round;">

i shuld make this check:
PolicyFactory policy = new HtmlPolicyBuilder()
    .allowElements("p")
    .allowElements(new ElementPolicy() {
          public String apply(String elementName, List<String> attrs) {
            StylingPolicy sp = new StylingPolicy();
            sp.allowCSSProperty("color");
            sp.addCssPropertyCheker(new CSSPropertyChecker(){
                boolean includeThisProperty(String propertyName, String properyValue){
                    CSSPropertyValue prop = new  CSSPropertyValue(properyValue);
                     if(prop.isURLResource()){
                        CSSPropertyURL urlProp = new CSSPropertyURL(prop);
                        if(!urlProp.getDomain().equals(MY_DOMAIN)){ 
                           // css resource from third party domain
                           return false;// dissalow
                        } else {
                           return true;
                        }
                     }
                    if (prop.isExpression()){
                         // dissalow like: width: expression(alert('XSS'));
                         return false;
                    }
                    return true;
                }
            }, List.Of("border-image"));
            sp.applyTo(attrs);
          return elementName;
          }
     },TagsSet.ALLOWED)
    .build();
String safeHTML = policy.sanitize(untrustedHTML);

to prevent both "expression" and resource in css url from 3-party domain/

Original comment by h6.msan...@gmail.com on 19 Jun 2013 at 2:23

@GoogleCodeExporter
Copy link
Author 

and dont forget that some css properties can have multiple values

Original comment by h6.msan...@gmail.com on 19 Jun 2013 at 2:25

@GoogleCodeExporter
Copy link
Author 

Also what about < style > tag? Shuld this allow styles from users? In case of 
WYSIWYG there are some styles, that should be allowed. In general there must be 
element style perser.

Original comment by h6.msan...@gmail.com on 19 Jun 2013 at 2:56

@GoogleCodeExporter
Copy link
Author 

Please ask questions on the mailing list, not in the issue list.
https://groups.google.com/forum/?fromgroups#!forum/owasp-java-html-sanitizer-sup
port

Original comment by mikesamuel@gmail.com on 19 Jun 2013 at 10:14

  • Changed state: Invalid

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
auto-migrated Priority-Medium Type-Defect
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@GoogleCodeExporter