[OpenAjaxSecurity] innerHTML?

Jon Ferraiolo jferrai at us.ibm.com
Fri Jul 20 13:56:33 PDT 2007

Hi Bertrand,
Well said. I think the key thing is to break things down depending on how
certain you are about the content:

(1) content received from trusted providers, such as yourself:
   * OK to take shortcuts such as eval() and innerHTML for programming
convenience and fast performance

(2) content received from places that might not be trustworthy in all
   (a) don't use eval() or innerHTML (or other things that lead to
   (b) instead choose one of the following
        (i) sandbox the content in an iframe with a different domain, or
        (ii) filter the content somehow to remove dangerous constructs


             Bertrand Le Roy                                               
             microsoft.com>                                             To 
             Sent by:                  OpenAjax Alliance Security Task     
             security-bounces@         Force <security at openajax.org>, Gorm 
             openajax.org              Haug    Eriksen <gormer at opera.com>  
             07/20/2007 11:33                                      Subject 
             AM                        Re: [OpenAjaxSecurity] innerHTML?   
             Please respond to                                             
             OpenAjax Alliance                                             
               Security Task                                               
             <security at openaja                                             

That’s actually a pretty good point, which forum developers have had to
solve long ago. One needs to know that injecting raw HTML should only be
done when the source of that HTML is trusted or when some filtering is
done. It is more difficult than it seems at first to filter out dangerous
HTML so most systems do it using a white list of tags, attributes and
protocols rather than with a black list. From the top of my head, here are
a few possible ways to inject script from HTML:
      ·         Script tag
      ·         Any url attribute, using the javascript: protocol (this is
      now blocked on some of the modern browsers but <img
      src=”javascript:alert(‘0wned’)”/> still works in Opera and throws a
      suspicious error in Firefox)
      ·         Any event attribute (the focus and mouse events are good
      candidates for an exploit)
      ·         Style properties that enable urls, such as
      background-image: url(“javascript:…”)
      ·         On IE, behaviors in styles are one more way to inject code.

Of course, the multitudes of ways you can encode attributes and urls in
HTML and the general forgiveness of the markup make the filtering all the
more difficult.


From: security-bounces at openajax.org [mailto:security-bounces at openajax.org]
On Behalf Of Jon Ferraiolo
Sent: Friday, July 20, 2007 10:31 AM
To: Gorm Haug Eriksen
Cc: security at openajax.org
Subject: [OpenAjaxSecurity] innerHTML?

Hi Gorm,
I got your note about whether we should say something in the security white
paper about innerHTML and code injection risks. I am copying the Security
TF to allow the experts to respond.

It does seem to me that we should mention and show an example of how there
is a vulnerability where client-side JavaScript assumes that the content
model for an HTML element is plain text and then simply does an
myElement.innerHTML = textStringFromServer
but if the textStringFromServer looked like this "<script>...</script>"
then script would be injected.

security mailing list
security at openajax.org

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://openajax.org/pipermail/security/attachments/20070720/39879c9c/attachment.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: graycol.gif
Type: image/gif
Size: 105 bytes
Desc: not available
Url : http://openajax.org/pipermail/security/attachments/20070720/39879c9c/attachment.gif 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pic12023.gif
Type: image/gif
Size: 1255 bytes
Desc: not available
Url : http://openajax.org/pipermail/security/attachments/20070720/39879c9c/attachment-0001.gif 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ecblank.gif
Type: image/gif
Size: 45 bytes
Desc: not available
Url : http://openajax.org/pipermail/security/attachments/20070720/39879c9c/attachment-0002.gif 

More information about the security mailing list