In the website I'm developing, I'm giving users a 500px by 500px section that they can add html to in their profile. Currently, I am stripping script, iframe, and link tags and likewise am not allowing an uneven amount of opening and closing tags (that way people don't try to had a </div> in order to break the styling.

The reason I'm allowing HTML is so that people have a lot of freedom to style this section (such as creating a background image, floating things, etc.

What other hacks might people potentially try to abuse?

One thing I've thought about is trying to position elements outside of the 500px by 500px box in order to cover up other parts of the page. Any idea how I can stop this from happening?

<plaintext>

No but seriously, allowing HTML usage is a serious security flaw. It's better to whitelist tags than to blacklist potentially unsafe ones.

whitelists are always and will always be inherently more secure than blacklists.

Be sure to whitelist attributes, too.

Edit: Obligatory.

Post has been edited 1 time(s), last time on Jan 9 2011, 6:36 am by Tuxedo-Templar.

Ok, sounds good.

Strip IE-only CSS expressions from your code, too.

Sanitizing CSS opens up its own can of worms. Clickjacking, anyone?

Can't be overly difficult to simply parse out expression() values. Not that anyone using IE deserves a secure browsing experience, but still.