Hacker News new | ask | show | jobs
by moloch 3618 days ago
This is insufficient to prevent XSS, or DMI -the de facto anti-XSS is contextual (generally HTML) encoding, and it is the only proper mitigation. Blacklisting specific characters such as angle brackets is not safe, and will end in tears.
2 comments
strommen 3618 days ago
Yes, blacklisting is insufficient in general. But it covers many cases, including the one here. Contextual encoding must be done each and every place you emit user input into HTML, and it's easy to screw this up. Character blacklisting provides an extra layer of protection.

Unless you're intending for your user to post HTML, or math inequalities, or diff patches - there's no reason to allow angle brackets on a form post.

link
moloch 3618 days ago
> Yes, blacklisting is insufficient in general. But it covers many cases, including the one here. Contextual encoding must be done each and every place you emit user input into HTML, and it's easy to screw this up.

Blacklists are only acceptable if you do it in addition to contextual encoding wherever you emit user controlled data, and even then a much stronger protection would be to whitelist acceptable characters. Either way, contextual encoding whenever you emit user data is the only real protection. --And even then it's not a good fallback protection, a strong Content-Security-Policy should be your fallback protection.

> Unless you're intending for your user to post HTML, or math inequalities, or diff patches - there's no reason to allow angle brackets on a form post.

Form posts are not the only vector for XSS, any HTTP request can be potentially exploited to perform XSS (and any part of an HTTP request), doesn't matter if it's a Form, an AJAX request, an HTTP header value, or a GET parameter, they're all potential attack vectors.

link
alisey 3618 days ago
> But it covers many cases, including the one here.

In my experience, it doesn't even cover cases such as this one, but it certainly makes developers confident they don't need to apply contextual escaping.

link
bennofs 3618 days ago
Why is blacklisting not safe, assuming you contextually blacklist?
link
moloch 3618 days ago
There are a huge number of contextual corner cases, this cheat sheet lists just a few:

https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_She...

link
tedunangst 3618 days ago
I don't understand what that page is trying to tell me. What is the "filter" that <body onload=alert()> evades?
link
strommen 3618 days ago
Read this: https://stackoverflow.com/questions/5696244/is-escaping-and-...
link