undefined | Better HN

0 pointsmasklinn1y ago0 comments

> Limiting attributes to ["href", "src"]

You need to clean that up as well to avoid e.g. javascript: links, and then there are more issues with SVG if you allow media uploads.

Then you need to be very sure you’re using a proper html5 parser and your rendering is completely canonicalized or you open yourself up to filter evasions (https://cheatsheetseries.owasp.org/cheatsheets/XSS_Filter_Ev...)

And of course I assume that’s what you meant but you should not add upon request, you should evaluate the addition.

0 comments

danielheath1y ago

Yes - just double checked those, thankfully the framework builtins are correct (staying up to date with a well maintained framework does wonders for your security posture).

furstenheim1y ago

Wasn't there this case of a security issue coming from abusing different parsers, in different places? Server, client, or different browsers

masklinnOP1y ago

Yes, it's actually a pretty common issue: https://langsec.org/spw23/papers/Ali_LangSec23.pdf

Examples: https://about.gitlab.com/blog/2020/03/30/how-to-exploit-pars... https://gitlab-com.gitlab.io/gl-security/security-tech-notes...

j / k navigate · click thread line to collapse