Is using jquery parseHTML to remove script tags enough to prevent XSS attacks? - McMap

About

Is using jquery parseHTML to remove script tags enough to prevent XSS attacks?

Asked 22/11, 2018 at 9:12 Answered 22/11, 2018 at 11:41

Solved django security xss wysiwyg froala

H

1

1

We are using a WYSWIG Editor(Froala Editor) and storing raw HTML that is created by the user. Thus, escaping the string is not an option. I am intending to store the HTML string in a variable or a data-attribute enclosed within quotes. Then, read that HTML string and remove script tags using jquery's parseHTML as well as keep only certain attributes before loading the HTML into the editor. Is this approach enough to prevent all XSS attacks?

Hardnett answered 22/11, 2018 at 9:12 Comment(0)

P

3

It is not. A few counter-examples:

<a href="javascript:alert(1)">
<div onclick="alert(1)">
<img src="javascript:alert(1)"> (doesn't actually work anymore in modern browsers)
<div style="background-image: url(javascript:alert(1))"> (doesn't work anymore)

Part of the difficulty is that it also depends on which browser the user is using. The bottomline is, you need a proper sanitizer, which can also be on the client-side. (It can also be on the server, but consider the "preview" feature of the editor if there is any - if previews are not sent to the server, a server-side sanitizer is not of much use. :) )

Google Caja is (was?) a html sanitizer project that also had a pure javascript component. There are other solutions as well.

Note that the editor javascript must support running its contents through a custom sanitizer before inserting it into the DOM if you want to do this in javascript.

Poultry answered 22/11, 2018 at 11:41 Comment(2)

I think that saying <img src="javascript:alert(1)"> is not supported by modern browsers is not necessarily correct. As of today it depends on the http header instructions sent from the server and mime types. I know because I have an app that relies on this and it works fine in all modern browsers but breaks if we set the appropriate http header policies. It would work out of the box on new Windows IIS installations imho. – Wilcox 9/1, 2019 at 12:28

@VanquishedWombat Thank you, I might have been wrong then. I'm not sure which browsers with what response headers support this but now I will try if I have a spare half an hour. :) – Poultry 9/1, 2019 at 12:52

Recommended topics

#Godot #Unity #Godot 4.X #Mongodb

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

© 2022 - 2024 — McMap. All rights reserved.