Hacker News new | ask | show | jobs
by masklinn 703 days ago
> Limiting attributes to ["href", "src"]

You need to clean that up as well to avoid e.g. javascript: links, and then there are more issues with SVG if you allow media uploads.

Then you need to be very sure you’re using a proper html5 parser and your rendering is completely canonicalized or you open yourself up to filter evasions (https://cheatsheetseries.owasp.org/cheatsheets/XSS_Filter_Ev...)

And of course I assume that’s what you meant but you should not add upon request, you should evaluate the addition.
2 comments
danielheath 703 days ago
Yes - just double checked those, thankfully the framework builtins are correct (staying up to date with a well maintained framework does wonders for your security posture).
link
furstenheim 703 days ago
Wasn't there this case of a security issue coming from abusing different parsers, in different places? Server, client, or different browsers
link
masklinn 703 days ago
Yes, it's actually a pretty common issue: https://langsec.org/spw23/papers/Ali_LangSec23.pdf

Examples: https://about.gitlab.com/blog/2020/03/30/how-to-exploit-pars... https://gitlab-com.gitlab.io/gl-security/security-tech-notes...

link