In the website I'm developing, I'm giving users a 500px by 500px section that they can add html to in their profile. Currently, I am stripping script, iframe, and link tags and likewise am not allowing an uneven amount of opening and closing tags (that way people don't try to had a </div> in order to break the styling.
The reason I'm allowing HTML is so that people have a lot of freedom to style this section (such as creating a background image, floating things, etc.
What other hacks might people potentially try to abuse?
One thing I've thought about is trying to position elements outside of the 500px by 500px box in order to cover up other parts of the page. Any idea how I can stop this from happening?
<plaintext>
No but seriously, allowing HTML usage is a serious security flaw. It's better to whitelist tags than to blacklist potentially unsafe ones.
None.
whitelists are always and will always be inherently more secure than blacklists.
"Parliamentary inquiry, Mr. Chairman - do we have to call the Gentleman a gentleman if he's not one?"
Be sure to whitelist attributes, too.
Edit:
Obligatory.
Post has been edited 1 time(s), last time on Jan 9 2011, 6:36 am by Tuxedo-Templar.
None.
Strip IE-only CSS expressions from your code, too.
<span style="display:expression( alert('I can rape your shit with this!') || 'inline')">O HAI</span>
None.
Sanitizing CSS opens up its own can of worms. Clickjacking, anyone?
None.
Quote from name:Tuxedo-Templar
Sanitizing CSS opens up its own can of worms. Clickjacking, anyone?
Can't be overly difficult to simply parse out expression() values. Not that anyone using IE deserves a secure browsing experience, but still.
None.