Feed on
Posts
Comments

Removing JavaScript Tags to Prevent XSS

November 13th, 2006 by Ivan Uzunov

"Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications which allow malicious web users to inject HTML or client-side script into the web pages viewed by other users. An exploited cross-site scripting vulnerability can be used by attackers to bypass access controls such as the same origin policy. Recently, vulnerabilities of this kind have been exploited to craft powerful phishing attacks and browser exploits."  - Wikipedia

The best way to avoid XSS is to HTMLEncode while displaying the user input data. But sometimes the user is allowed to add HTML content to the web site. In this case using only HTMLEncoding is not an option. So far this is the second time I edit this post based on the comments of three smart and good people. Obviously there is no silver bullet solution here. Trying to remove all the places where potentially malicious data could be embedded is impossible. So the title of the post is not correct anymore since I’m not removing JavaScript Tags. I’m encoding and decoding.

So my solution to the problem is only partial. Partial because I have decided to limit the allowed HTML tags to: <p>, </p>, <br />, <br>, <b>, </b>, <strong>, </strong>, <u>, </u>, <i>, </i>, <strike>, </strike>, <sub>, </sub>, <sup> and </sup>.

I allow these tags only in the format above. This means that for example “<p >” will not be evaluated as “<p>”. The idea of limiting the allowed tags to these ones in this format is that thus I hope that there will be no chance that malicious user input is executed. I don’t want to mess with more complicated tags like <a> and <img> for example.

 
The solution that I’m using contains only two steps:
  1. HTMLEncode all the user input
  2. Decode (using the Replace function) only the allowed HTML tags (the list above)
This is a sample of function that will allow only <b> and <i>:

public static string RemoveJavaScriptTags(string sText)
{     
    StringBuilder sb = new StringBuilder(HttpUtility.HtmlEncode(sText));

    // This will allow <b> and <i> HTML tags
    sb.Replace("&lt;b&gt;", "<b>");
    sb.Replace("&lt;/b&gt;", "</b>");
    sb.Replace("&lt;i&gt;", "<i>");
    sb.Replace("&lt;/i&gt;", "</i>");

    return sb.ToString();
}

In one of the comments I was suggested to use http://ha.ckers.org/xss.html to test for vulnerable hole in this solution. So I did and I’ve passed. But please test it by yourself before start using it.
, , ,
Share and Enjoy: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • del.icio.us
  • dzone
  • Netscape
  • digg
  • YahooMyWeb
  • Technorati

Trackback URI | Comments RSS

Leave a Reply

This is a captcha-picture. It is used to prevent mass-access by robots. (see: www.captcha.net)

You must read and type the 5 chars within 0..9 and A..F, and submit the form.

  

Oh no, I cannot read this. Please, generate a