[OpenAjaxSecurity] innerHTML?

Bertrand Le Roy Bertrand.Le.Roy at microsoft.com
Fri Jul 20 11:33:00 PDT 2007


That's actually a pretty good point, which forum developers have had to solve long ago. One needs to know that injecting raw HTML should only be done when the source of that HTML is trusted or when some filtering is done. It is more difficult than it seems at first to filter out dangerous HTML so most systems do it using a white list of tags, attributes and protocols rather than with a black list. From the top of my head, here are a few possible ways to inject script from HTML:

*         Script tag

*         Any url attribute, using the javascript: protocol (this is now blocked on some of the modern browsers but <img src="javascript:alert('0wned')"/> still works in Opera and throws a suspicious error in Firefox)

*         Any event attribute (the focus and mouse events are good candidates for an exploit)

*         Style properties that enable urls, such as background-image: url("javascript:...")

*         On IE, behaviors in styles are one more way to inject code.

Of course, the multitudes of ways you can encode attributes and urls in HTML and the general forgiveness of the markup make the filtering all the more difficult.

Bertrand

From: security-bounces at openajax.org [mailto:security-bounces at openajax.org] On Behalf Of Jon Ferraiolo
Sent: Friday, July 20, 2007 10:31 AM
To: Gorm Haug Eriksen
Cc: security at openajax.org
Subject: [OpenAjaxSecurity] innerHTML?


Hi Gorm,
I got your note about whether we should say something in the security white paper about innerHTML and code injection risks. I am copying the Security TF to allow the experts to respond.

It does seem to me that we should mention and show an example of how there is a vulnerability where client-side JavaScript assumes that the content model for an HTML element is plain text and then simply does an
myElement.innerHTML = textStringFromServer
but if the textStringFromServer looked like this "<script>...</script>" then script would be injected.

Jon
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://openajax.org/pipermail/security/attachments/20070720/a1b124e8/attachment.html 


More information about the security mailing list