undefined | Better HN

0 pointstshadwell8y ago0 comments

from experience, I wouldn't recommend other than context-aware safe templating systems for html safety in this day and age.

to an even greater extent than templating systems, sanitization systems of this type need to be built by an expert and align perfectly with how browsers parse tags, which is no small feat.

to give more concrete examples, from a few minutes of testing:

<a href="javascript://%0Aalert`xss`">1</a> <- xss on click

<img src=javascript:alert(2)> <- XSS in Opera Mobile, Opera 10, early versions of IE

<img src="/logout"> <- csrf which affects nearly everything built without security knowhow

0 comments

No comments yet.

0 pointstshadwell8y ago0 comments

from experience, I wouldn't recommend other than context-aware safe templating systems for html safety in this day and age.

to an even greater extent than templating systems, sanitization systems of this type need to be built by an expert and align perfectly with how browsers parse tags, which is no small feat.

to give more concrete examples, from a few minutes of testing:

<a href="javascript://%0Aalert`xss`">1</a> <- xss on click

<img src=javascript:alert(2)> <- XSS in Opera Mobile, Opera 10, early versions of IE

<img src="/logout"> <- csrf which affects nearly everything built without security knowhow