On Fri, Oct 06, 2006 at 07:25:06PM +0200, Clinton Gormley wrote: > On Fri, 2006-10-06 at 18:48 +0200, Hendrik Van Belleghem wrote: > > "mock" talked about XSS at this years YAPC::Europe in Birmingham a few > > weeks ago. He had quite a few examples. His slides are at > > http://sketchfactory.com/static/mvc.pdf (More Vulnerable Code). > > It goes without saying that it would be a bit unwise to test the URLs > > mentioned in the talk. > > He briefly mentions HTML::Scrubber in there. I am using > HTML::Stripscripts::Parser, which also makes sure that tags are nested > properly. > > Anybody have any view on these (or other) modules? > > Clint >
HTML::Scrubber is not really broken. The problem is that the documentation leads the user to do broken things, as was shown with Planet Plagger. It is possible to make a secure HTML::Scrubber config, but you need to default deny everything and then only allow a select list of tags and attributes - and you need to really think about that list. The underlying problem, which I suspect HTML::Stripscripts shares is that HTML::Parser thinks that the attribute "foo=bar" is different than the attribute "foo.=bar" (RSnake covers this kind of evasion in his document fairly well) and your browser thinks that everthing non alphanumeric before the equals sign is junk. So without actually sitting down and auditing HTML::Stripscripts I'd say it probably _can_ be used safely, but odds are most people won't. As an aside, I'm not sure that it's completely public knowledge outside people who read my site and people who saw my talk, but CSRF can be performed from feeds (RSS, Atom). So you need to defang any feeds that will be shown to a logged in user otherwise there's the possibility of doing various bad things(tm). There's also the obvious problem with javascript in feeds as well... Finally, if you're near Tokyo this November, Martin Johns is going to be presenting what looks like a really good talk on CSRF, with some new mitigation techniques and a fair bit of new work on the problem at PacSec (http://pacsec.jp/speakers.html). mock
