On more than one occation people have asked me how to stop XSS. What would the logic actually look like to accurately be able to stop cross site scripting attacks but still allow some HTML? Well, here’s a small how-to that should help (or hurt, depending on how technical you are):

1. Make a temp variable (or array of characters, or stack or however you end up doing it) with the data in it so you don’t modify the original text.
2. Take the modified text and normalize anything starting with &# to the ASCII equivalent characters. That includes both hex, decimal with and without padding and with and without semicolons. I’d also recommend normalizing HTML entities (that can be a pain in the ass as you’ll need to do a hash mapping).
3. I remove nulls, newlines, carriage returns, newlines and tabs completely. (However, I preserve spaces since that breaks up JavaScript and it won’t render, but I do compress multiple spaces into a single space).
4. Then scanning it using a boyer-moore algorithm or a pre-compiled directed acyclic word graph (for speed - if that’s an issue) for all HTML tags that are allowed or forbidden (depending on which route you want to go).
5. If something is forbidden, I’d stop here, and reject it, if you want to try to sanitize it, which I completely recommend against, make sure you do a while loop and continue to sanitize until there is nothing left to sanitize. Lest you get caught doing something like this. In doing your while loop where you find something worthwhile to strip, start over at #2 and continue doing that recursively until you remove all instances of any offending HTML caused by your own filtering. In this case you can dump the temporarily array of characters to save memory and use the modified array instead as your output. If it’s unmodified from the original it’s probably not worth keeping around, but if it is modified, the original can be interesting to save for forensics IDS (intrusion detection system) purposes.

The other things to remember that can help are using things like HTTPOnly, and remember to properly UTF-8 (or whatever encoding method you choose to use) to avoid issues with UTF-7 vectors. I personally don’t like things like phpBB script as that really only obfuscates the issue. Easy as cake, eh?

This entry was posted on Friday, June 2nd, 2006 at 8:34 am and is filed under XSS, Webappsec. You can leave a response as well.