I am using the Accept known good validation strategy to sanitize user input (rich HTML) and are using a 3rd party component to do this.
The component by default requires every permitted class name to explicitly listed, but also has a checkbox to suspend this rule (i.e. every class name will be accepted). The help text for this checkbox says:
Bypassing this rule may lead to security vulnerabilities. Only grant this filter to trusted roles.
I understand by checking that box, I would permit user input such as:
<div class="exploit">…</div>
However, I am unable to think of what to replace "exploit" with that may be a security vulnerability.
Can anyone explain to me why I need to whitelist class names.