[TYPO3-mvc] removeXSS view helper
Nathan Lenz
typo3 at k9tfk.com
Wed Apr 29 15:54:13 CEST 2009
I see that the removeXSS helper needs to be coded
(http://forge.typo3.org/wiki/typo3v4-mvc/ToDo_Fluid)
How thorough should this be?
1. Use the white list technique? If so, is it configurable and where?
2. What about white listing attributes? This is hard because of
attributes like style="", something lots of people would want to white
list, but it can cause problems.
3. Should it alter the HTML to be standards compliant? The majority of
XSS removers rely on balancing tags and making standards compliant HTML.
If malformed HTML should be allowed while removing all XSS it could be
nearly impossible.
4. I think it should remove all known examples here:
http://ha.ckers.org/xss.html
There are lots of tools out there that do this sort of thing:
http://sourceforge.net/projects/kses/
http://htmlpurifier.org/
http://www.bioinformatics.org/phplabware/internal_utilities/htmLawed/index.php
(promising, because it's all in one function and well contained)
More listed here: http://htmlpurifier.org/comparison.html
If the HTML needs to be "purified" to truly remove XSS, then it might be
better to name this helper something different to better communicate
what is actually happening.
Just thinking...
--Nathan
More information about the TYPO3-project-typo3v4mvc
mailing list