Why use a whitelist for HTML sanitizing?

Posted by Carson Myers on Stack Overflow See other posts from Stack Overflow or by Carson Myers
Published on 2010-03-19T08:09:51Z Indexed on 2010/03/19 8:21 UTC
Read the original article Hit count: 519

Filed under:

html

|

whitelist

|

xss

I've often wondered -- why use a whitelist as opposed to a blacklist when sanitizing HTML input?

How many sneaky HTML tricks are there to open XSS vulnerabilities? Obviously script tags and frames are not allowed, and a whitelist would be used on the fields in HTML elements, but why disallow most of everything?

© Stack Overflow or respective owner

Related posts about html

Install usblib package - Ubuntu

as seen on Ask Ubuntu - Search for 'Ask Ubuntu'
I need the package libusb for another package I am installing. I tried the following which seemed to install the package, sudo apt-get install libusb-dev but when I try to install the other package I get, configure: error: Package requirements (libusb-1.0 >= 0.9.1) were not met: No package… >>> More
Prevent malicious vulnerability scan increasing load on a server

as seen on Server Fault - Search for 'Server Fault'
Hi all, this week we have been suffering some malicious vulnerability scans to our servers, increasing the load on them, making them nearly unusable. The attack is easy to defend, just blocking the offending ip, but only after discovering it. Is there any form of prevent it? Is it normal that… >>> More
can't install psycopg2 in my env on mac os x lion

as seen on Server Fault - Search for 'Server Fault'
I tried install psycopg2 via pip in my virtual env, but got this error: ld: library not found for -lpq (full log here: http://pastebin.com/XdmGyJ4u ) I tried install postgres 9.1 from .dmg and via port, (gksks)iMac-Alexander:~ lorddaedra$ locate libpq /Developer/SDKs/MacOSX10.7.sdk/usr/include/libpq /Developer/SDKs/MacOSX10… >>> More
Bitnami redmine error SVN

as seen on Server Fault - Search for 'Server Fault'
I'm installing the Bitnami Redmine stack (redmine + subversion). Firstly I install configure and test it locally (Ubuntu 14.04 LTS). And everything is OK. I install Bitnami stack on server (Red Hat 4.4.7-4) and configure SVN. I commit files into SVN and connect project into Redmine with SVN repository… >>> More
Can the .htaccess file slow down a website to a crawl? If so, are there better ways to solve these problems with different rewrite rules and such?

as seen on Pro Webmasters - Search for 'Pro Webmasters'
here is my htaccess file...... RewriteCond %{REQUEST_URI} ^/patients/billing/FAQ_billing\.html$ [OR] RewriteCond %{REQUEST_URI} ^/patients/billing/getintouch\.html$ RewriteRule ^patients/billing/(.*)\.html$ $1.php [L,NC] RewriteCond %{REQUEST_URI} ^/patients/findadoctor/a\.html$ [OR] RewriteCond… >>> More

Related posts about whitelist

How do DotNetOpenAuth whitelist and blacklists work?

as seen on Stack Overflow - Search for 'Stack Overflow'
Does anyone have any documentation on DotNetOpenAuth and the way it handles while lists and black lists? My config <untrustedWebRequest> <blacklistHosts> <add name="*" /> </blacklistHosts> <whitelistHosts> <add name="www… >>> More
Why use a whitelist for HTML sanitizing?

as seen on Stack Overflow - Search for 'Stack Overflow'
I've often wondered -- why use a whitelist as opposed to a blacklist when sanitizing HTML input? How many sneaky HTML tricks are there to open XSS vulnerabilities? Obviously script tags and frames are not allowed, and a whitelist would be used on the fields in HTML elements, but why disallow most… >>> More
Amavis-new whitelist

as seen on Server Fault - Search for 'Server Fault'
Hi to the Linux community. I'm coming from a Windows Server background so have mercy. I'm attempting to whitelist some domains and although I know this isn't the best way of doing so its just a one off for a couple of domains so I thought it would be the quickest way of doing so. Current setup: Amavis… >>> More
whitelist- blacklist implementation using amavis

as seen on Server Fault - Search for 'Server Fault'
Hiiiii... I want to develop mailserver. I want to blocked specific sender's email using amavis. so what can i do? can i edit /usr/sbin/amavisd file or any other way.....? >>> More
whitelist- blacklist implementation

as seen on Server Fault - Search for 'Server Fault'
Hiiii... I have installed postfix ,amavisd,spamassassin and clamd. I want to specify sender to blacklist ....so please give the solution.. Thanks in advance... >>> More