On Sep 23, 7:15 pm, James Graham <[EMAIL PROTECTED]> wrote: > I would certainly be happier using the html part of the sanitizer more than > the > typical regexp based solutions. I am less sure if the CSS sanitizer is > perfect; > it may well be OK but it is built on a less strong foundation (since it does > not > actually parse CSS).
One attack you might want to consider is the CSS absolute positioning attack. I can create a "login link", then use CSS to position it in such a way that it overlaps the site's real login link. When the user tries to log in they end up on my phishing site instead. The fix is either to disallow positioning entirely or to restrict the range of top/left/bottom/right values allowed. Even restricting the range might not be enough though - if you stick in a rule saying "you can only use position:relative up to 10px" I could always nest a dozen elements, each one shifting my fake login link towards the target by another 10px. A similar attack is to add an enormous margin or padding to a malicious link so that clicks anywhere on the page will trigger that link. I believe this is the attack that was used to steal 30,000 MySpace passwords a year or so ago. Cheers, Simon --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "html5lib-discuss" group. To post to this group, send email to html5lib-discuss@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/html5lib-discuss?hl=en-GB -~----------~----~----~----~------~----~------~--~---
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4