Staredit Network > Forums > Technology & Computers > Topic: Allowing Users To Use HTML
Allowing Users To Use HTML
Jan 7 2011, 8:33 am
By: A_of-s_t  

Jan 7 2011, 8:33 am A_of-s_t Post #1

aka idmontie

In the website I'm developing, I'm giving users a 500px by 500px section that they can add html to in their profile. Currently, I am stripping script, iframe, and link tags and likewise am not allowing an uneven amount of opening and closing tags (that way people don't try to had a </div> in order to break the styling.

The reason I'm allowing HTML is so that people have a lot of freedom to style this section (such as creating a background image, floating things, etc.

What other hacks might people potentially try to abuse?

One thing I've thought about is trying to position elements outside of the 500px by 500px box in order to cover up other parts of the page. Any idea how I can stop this from happening?



Personal GitHub
Starcraft GitHub Organization - Feel free to request member status!
TwitchTV

Jan 7 2011, 12:00 pm Aristocrat Post #2



<plaintext>

No but seriously, allowing HTML usage is a serious security flaw. It's better to whitelist tags than to blacklist potentially unsafe ones.



None.

Jan 7 2011, 2:40 pm rockz Post #3

ᴄʜᴇᴇsᴇ ɪᴛ!

whitelists are always and will always be inherently more secure than blacklists.



"Parliamentary inquiry, Mr. Chairman - do we have to call the Gentleman a gentleman if he's not one?"

Jan 7 2011, 3:47 pm The Starport Post #4



Be sure to whitelist attributes, too.

Edit: Obligatory.

Post has been edited 1 time(s), last time on Jan 9 2011, 6:36 am by Tuxedo-Templar.



None.

Jan 7 2011, 7:42 pm A_of-s_t Post #5

aka idmontie

Ok, sounds good. :nude:



Personal GitHub
Starcraft GitHub Organization - Feel free to request member status!
TwitchTV

Jan 12 2011, 4:52 am DavidJCobb Post #6



Strip IE-only CSS expressions from your code, too.

Code
<span style="display:expression( alert('I can rape your shit with this!') || 'inline')">O HAI</span>




None.

Jan 12 2011, 5:56 am The Starport Post #7



Sanitizing CSS opens up its own can of worms. Clickjacking, anyone?



None.

Jan 12 2011, 7:14 am DavidJCobb Post #8



Quote from name:Tuxedo-Templar
Sanitizing CSS opens up its own can of worms. Clickjacking, anyone?
Can't be overly difficult to simply parse out expression() values. Not that anyone using IE deserves a secure browsing experience, but still.



None.

Options
  Back to forum
Please log in to reply to this topic or to report it.
Members in this topic: None.
[2026-7-05. : 1:14 am]
l)ark_ssj9kevin -- Rectal!!!
[2026-7-05. : 12:13 am]
IskatuMesk -- u guys ever look at the "Backend performance improvements" line and kinda you know 👀
[2026-7-03. : 4:25 pm]
l)ark_ssj9kevin -- oh wow it's kind of like archipeligo but solo
[2026-7-03. : 9:43 am]
Oh_Man -- makes me wonder tho, a brood war achievement project culd be quite something, following the design methodology of SC2 achieves
[2026-7-03. : 9:43 am]
Oh_Man -- intresting concept, i see starcraft N64 is on there, most of the achieves seen bare bones though
[2026-7-03. : 9:43 am]
Oh_Man -- https://retroachievements.org/ i stumbled across this website
[2026-7-02. : 9:57 pm]
IskatuMesk -- :wob:
[2026-7-02. : 10:46 am]
UndeadStar -- :wob:
[2026-7-01. : 3:34 pm]
Symmetry -- :wob:
[2026-7-01. : 4:42 am]
Zycorax -- :wob:
Please log in to shout.


Members Online: jun3hong