4

In my website I have a textbox where the user can enter whatever they want and the text is printed out on the next page. For certain cases, they can type HTML tags to format their message so that in the next page of the website things can be bolded, in a list, italicized, etc, but script tags are not allowed due to XSS vulnerabilities.

Right now I allow the <a> tag to be reflected, so I can type into the textbox <a href=https://google.ca>sample_link</a> and on the next page if the user clicks on the text sample_link, they will be redirected to google.ca.

I have been reading up on whether you can get a virus from just visiting a website, and based on this answer here: Can you get virus just by visiting a website in Chrome? and many others, it seems you can. So say that the user didn't put google.ca, and instead some malicious url, then if they click that link their computer can get infected or some other attack may take place.

What I want to know is whether this is really an issue, since right now it seems like the only way for this to be a problem is if the user themselves enter this malicious link and click on it. So is there a way for an attacker to capitalize on the fact that this <a> tag is being reflected? I guess one way is that if what someone enters in a textbox gets reflected in a page that everyone can see, then other users may click this link, but that would mean sites like stackoverflow and other forums would be "unsafe".

It would be great if someone could shed some light on this situation. Thanks in advance!

Edit:

I have a whitelisted set of tags that are allowed to be reflected. Here they are:

"a", "b", "blockquote", "br", "cite", "code", "dd", "dl", "dt", "em", "i", "li", "ol", "p", "pre", "q", "small", "span", "strike", "strong", "sub", "sup", "u", "ul"
Michael
  • 861
  • 2
  • 9
  • 19
  • You could consider not using HTML (which might be confusing for users anyway) but have something like markdown or bb-code. It's easier to type and to filter (but not supported by Rtf controls) – eckes Aug 17 '17 at 00:40

1 Answers1

8

things can be bolded, in a list, italicized, etc, but script tags are not allowed due to XSS vulnerabilities.

That's not enough, your site is still vulnerable to XSS.

Here are some XSS examples that don't require <script> tags:

  • <svg onload="alert(document.domain)">
  • <img src="x" onerror="alert(document.domain)">
  • <body onload="alert(document.domain)">
  • <iframe src="javascript:alert(document.domain)">
  • ...

Bottom line: You can't reliably prevent XSS by blacklisting certain tags. Instead, you need to implement a strict whitelist of allowed tags and attributes.

Even if you only allow <a> tags, you're still left with XSS via pseudo protocols. E.g.:

<a href="javascript:alert(document.domain)">Click me</a>

However, if you only allow links with http[s]:// URLs, you're not creating an immediate risk for your site besides allowing people to specify links to potentially malicious sites (or just spam). As you correctly stated, that's a risk that many social websites, including SE, are willing to take.

Arminius
  • 43,922
  • 13
  • 140
  • 136
  • I just edited my question to include my whitelisted set of tags. When I enter `Click me` into the textbox, it shows "Click me" in blue, changes colours when I hover over it, but nothing happens when I click it – Michael Aug 15 '17 at 19:38
  • Also that makes sense about social websites. Unfortunately this is more of a utility website where many people may be working on the same thing and would be very bad if someone was able to paste a link to a malicious website and someone else may click it. I think I'll have to patch this up – Michael Aug 15 '17 at 19:44
  • @Michael You didn't copy the link correctly. You're missing a double quote after `href=`. That's why nothing happens when you click it. – Arminius Aug 15 '17 at 19:51
  • @Michael Also, whitelisting tags is not enough if you don't take care of the attributes as well. Otherwise, an attacker can just attach an `onclick` event to, say, a whitelisted `` tag. – Arminius Aug 15 '17 at 19:56
  • Sorry about that I just mistyped that. I had the double quotes when I tested it – Michael Aug 15 '17 at 19:56
  • And what would you recommend for securing the attributes allowed? – Michael Aug 15 '17 at 19:57
  • @Michael Whitelist the attributes you want to support. Also note that for most frameworks there are already solutions for sanitizing user-supplied HTML. You shouldn't have to implement that yourself. – Arminius Aug 15 '17 at 20:00
  • Also, I have no insight into how your application works. The `javascript:...` payload I suggested is definitely valid but there might be other encoding or filtering mechanisms in your application that prevent it from being executed. – Arminius Aug 15 '17 at 20:01
  • Thanks for all the help. Someone else handled the sanitation of HTML characters so I'm not entirely sure what processes they took either. I'm assuming you are correct though where something is filtering out the javascript – Michael Aug 15 '17 at 20:57