[Twisted-Python] Five Crazy Ideas to Start Your Week
andrew-twisted at puzzling.org
Tue Oct 8 19:49:25 EDT 2002
On Tue, Oct 08, 2002 at 08:08:14PM +0300, Tommi Virtanen wrote:
> On Tue, Oct 08, 2002 at 02:04:24AM -0500, Glyph Lefkowitz wrote:
> > 2. Automatic XSS input scrubbing for Woven
> > ==========================================
> > - attributes on other HTML tags, such as onmouseover, that execute js
> > expressions
> > Catalogue these and scrub them all off.
> > - <img /> or <object /> tags that automatically download other
> > Again, don't allow these tags. Or, have the server-side site download the
> > images and verify that they are PNGs (alternately also doing PIL stuff to
> > remove steganographic information, if you're _really_ paranoid).
> Your basic problem here is that you are trying to disallow
> things you know are not safe. That assumes you are omnipotent.
> While not contesting that, I still feel the only sane
> architecture is to catalogue known safe things, and only allow
> those. Something like a DTD/schema should do the job.
Agreed. You need a whitelist to do this 100%, not a blacklist. New
browser versions invent new ways of injecting js into HTML, so a
blacklist can never hope to be complete. BugTraq has seen this every
time a major new browser version is released. Also be aware of nasty
tricks like "onmouse&x6f;ver" or however it is you can encode random
ascii (or unicode!) entities -- most browsers will still understand
that. Your filter needs to as well.
I think there may be a fundamental flaw to filtering this with Woven.
Woven assumes correctly formed XML. Browsers will still execute js on a
page that is HTML (or even HTML-ish!), even if it isn't XML. That
already means there's probably tricks that lie outside the set of what
Woven can deal with -- though perhaps Woven can't generate them in the
If you intend to build XSS protection into Woven, I strongly recommend
you look through BugTraq's archives to get some idea of the wide variety
of techinques that can be involved -- in fact, I think they've started a
seperate mailing list for XSS now.
More information about the Twisted-Python