Simon Willison wrote: > On Sep 23, 7:15 pm, James Graham <[EMAIL PROTECTED]> wrote: >> I would certainly be happier using the html part of the sanitizer more than >> the >> typical regexp based solutions. I am less sure if the CSS sanitizer is >> perfect; >> it may well be OK but it is built on a less strong foundation (since it does >> not >> actually parse CSS).
That's a slight overstatement. The sanitizer defines a simplified subset of CSS that is readily parsed, and ensures that the style attributes match that subset before parsing and sanitizing. Style attributes which do not match that subset are completely eliminated. > One attack you might want to consider is the CSS absolute positioning > attack. I can create a "login link", then use CSS to position it in > such a way that it overlaps the site's real login link. When the user > tries to log in they end up on my phishing site instead. > > The fix is either to disallow positioning entirely or to restrict the > range of top/left/bottom/right values allowed. Even restricting the > range might not be enough though - if you stick in a rule saying "you > can only use position:relative up to 10px" I could always nest a dozen > elements, each one shifting my fake login link towards the target by > another 10px. > > A similar attack is to add an enormous margin or padding to a > malicious link so that clicks anywhere on the page will trigger that > link. I believe this is the attack that was used to steal 30,000 > MySpace passwords a year or so ago. Can you give an actual example of a position attribute that isn't sanitized out? "position" is not white-listed. http://wiki.whatwg.org/wiki/Sanitization_rules > Cheers, > > Simon - Sam Ruby --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "html5lib-discuss" group. To post to this group, send email to html5lib-discuss@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/html5lib-discuss?hl=en-GB -~----------~----~----~----~------~----~------~--~---
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4