On 1/23/12 9:59 PM, Daniel Friesen wrote:
2 - We could
ensure that the message library never emits scripts, by
applying a simple jQuery filter to the final result.
Don't delude yourself
into thinking that you can easily blacklist the
elements that would run a script.
http://ha.ckers.org/xss.html
Thanks for the pointer. You're right, I wasn't being careful enough.
Even so I think we have some reason for limited optimism in this case,
because jQuery operates on nodes in browser, not strings on the server.
Adding something to a DOM usually normalizes it, so there's less chance
of missing something due to unusual ways of encoding, escaping, or
delimiting input.
As far as I know these are the main dangers:
- SCRIPT, STYLE tags
- LINK, IFRAME, FRAME, FRAMESET, META, OBJECT, EMBED tags
- inherently scripted attributes, such as "onclick".
- attribute values beginning with 'javascript:', 'vbscript:',
'mocha:', 'livescript:', matched case-insensitively.
- hardest one: element styles with values that, once cleaned of
comments, contain the script words above or /expression(.*)/
However there are other dangers too. Yesterday I discovered that in
Chrome, a script will be executed if you .append() it to anything, even
if it's not part of the document. Annoying.
Anyway I'm not going to war on this, but some reasonable efforts can be
made.
--
Neil Kandalgaonkar <neilk(a)wikimedia.org>