Is <span style=...> safe for sanitize?

About

Asked 20/3, 2011 at 21:29 Answered 20/3, 2011 at 21:41

Solved ruby-on-rails ruby-on-rails-3 sanitize html-safe

I am using a rich text editor (CKEditor) and I have the opportunity to let users create profiles that are displayed to other users.

Many of the attributes CKEditor can control are being lost when I display them as:

<%= sanitize(profile.body) %>

My question is: is it safe to allow the attribute 'style' to be parsed? This would allow things like text color, size, background color, centering, indenting, etc. to be displayed. I just want to be sure it won't allow a hacker access to something I don't know about!

Camphene answered 20/3, 2011 at 21:29 Comment(0)

is it safe to allow the attribute 'style' to be parsed?

No.

background-image: url(javascript:[code]);
width: expression([code]);                  /* ie */
behavior: url([link to code]);              /* ie */
-moz-binding: url([link to code]);          /* ff */

Not to mention UI-spoofing attacks like positioning a false login form over a real one or something.

Unfair answered 20/3, 2011 at 21:41 Comment(5)

ha! Thanks very much, I had a feeling :) – Camphene 20/3, 2011 at 21:43

See also CSS Injection – Loats 21/3, 2011 at 0:21

This again shows that you cannot be safe with blacklisting. If you had not thought about blacklisting url rules in CSS you would have a problem now. You cannot even output a CSS string, you really need to fully parse it and only output the parsed DOM. – Intraatomic 26/5, 2011 at 18:21

but doesn't sanitize() use whitelisting? – Pluviometer 12/12, 2012 at 11:17

sanitize seems to filter these examples with :attributes => %w( style ) – Pluviometer 12/12, 2012 at 11:20

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags