5

I am using the Accept known good validation strategy to sanitize user input (rich HTML) and are using a 3rd party component to do this.

The component by default requires every permitted class name to explicitly listed, but also has a checkbox to suspend this rule (i.e. every class name will be accepted). The help text for this checkbox says:

Bypassing this rule may lead to security vulnerabilities. Only grant this filter to trusted roles.

I understand by checking that box, I would permit user input such as:

<div class="exploit">…</div>

However, I am unable to think of what to replace "exploit" with that may be a security vulnerability.

Can anyone explain to me why I need to whitelist class names.

Anders
  • 64,406
  • 24
  • 178
  • 215
Free Radical
  • 734
  • 5
  • 14

1 Answers1

5

The problem is when user-specified HTML is included together with your own HTML and application logic on the same page. It is common that the application logic depends on the content or location of specific elements inside the HTML which are selected based on id or class name. If you allow the user to specify any class name an attacker might be able to generate content with the same class names as used in your application logic. This might severely confuse the application logic which might lead to security issues.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424