The Web can be an evil place, especially if you're a Web Developer blissfully unaware of Cross Site Script Attacks (XSS). Even if you are aware of XSS in all of its insidious forms, it's extremely complex
to deal with all the issues if you're taking user input and you're actually allowing users
to post raw HTML into an application. I'm dealing with this again today in a Web application where legacy data contains raw HTML that has
to be displayed and users ask for the ability
to use raw HTML as input for listings. The first line of defense of course is: Just say no
to HTML input from users. If you don't allow HTML input directly and use HTML Encoding (HttyUtility.HtmlEncode() in .NET or using standard ASP.NET MVC output @Model.Content) you're fairly safe at least from the HTML input provided. Both WebForms and Razor support HtmlEncoded content, although Razor makes it the default. In Razor the default @ expression syntax:@Model.UserContent
automatically produces HTML encoded content - you actually have
to go out of your way
to create raw HTML content (safe by default) using @Html.Raw() or the HtmlString class.
In Web Forms (V4) you can use:<%: Model.UserContent %>
or if you're using a version prior
to 4.0:<%= HttpUtility.HtmlEncode(Model.UserContent) %>
This works great as a hedge against embedded <script> tags and HTML markup as any HTML is turned into text that displays as HTML but doesn't
render the HTML. But it turns any embedded HTML markup tags into plain text. If you need
to display HTML in raw form with the markup tags rendering based on user input this approach is worthless.
If you do accept HTML input and need
to echo the rendered HTML input back, the task of cleaning up that HTML is a complex task.
In the projects I work on, customers are frequently asking for the ability
to post raw HTML quite frequently. Almost every app that I've built where there's document content from users we start out with text only input - possibly using something like MarkDown - but inevitably users want
to just post plain old HTML they created in some other rich editing application. See this a lot with realtors especially who often want
to reuse their postings easily in multiple places.
In my work this is a common problem I need
to deal with and I've tried dozens of different methods from sanitizing, simple rejection of input
to custom markup schemes none of which have ever felt comfortable
to me. They work in a half assed, hacked together sort of way but I always live in fear of missing something vital which is *really easy
to do*.
My Wishlist Item: A <restricted> tag in HTML
Let me dream here for a second on how
to address this problem. It seems
to me the easiest place where this can be fixed is: In the browser. Browsers are actually executing script code so they have a lot of control over the script code that resides in a page. What if there was a way
to specify that you want
to turn off script code for a block of HTML?
The main issue when dealing with HTML raw input isn't that we as developers are unaware of the implications of user input, but the fact that we sometimes have
to display raw HTML input the user provides. So the problem markup is usually isolated in only a very specific part of the document.
So, what if we had a way
to specify that in any given HTML block, no script code could execute by wrapping it into a tag that disables all script functionality in the browser? This would include <script> tags and any document script attributes like onclick, onfocus etc. and potentially also disallow things like iFrames that can potentially be scripted from the within the iFrame's target.
I'd like
to see something along these lines:<article>
<restricted allowscripts="no" allowiframes="no">
<div>Some content</div>
<script>alert('go ahead make my day, punk!");</script>
<div onfocus="$.getJson('http://evilsite.com/')">more content</div>
</restricted>
</article>
A tag like this would basically disallow all script code from firing from any HTML that's rendered within it. You'd use this only on code that you actually
render from your data only and only if you are dealing with custom data. So something like this:<article>
<restricted>
@Html.Raw(Model.UserContent)
</restricted>
</article>
For browsers this would actually be easy
to intercept. They
render the DOM and control loading and execution of scripts that are loaded through it. All the browser would have
to do is suspend execution of <script> tags and not hookup any event handlers defined via markup in this block. Given all the crazy XSS attacks that exist and the prevalence of this problem this would go a long way towards preventing at least coded script attacks in the DOM. And it seems like a totally doable solution that wouldn't be very difficult
to implement by vendors.
There would also need
to be some logic in the parser
to not allow an </restricted> or <restricted> tag into the content as
to short-circuit the rstricted section (per James Hart's comment). I'm sure there are other issues
to consider as well that I didn't think of in my off-the-back-of-a-napkin concept here but the idea overall seems worth consideration I think.
Without code running in a user supplied HTML block it'd be pretty hard
to compromise a local HTML document and pass information like Cookies
to a server. Or even send data
to a server period. Short of an iFrame that can access the parent frame (which is another restriction that should be available on this <restricted> tag) that could potentially communicate back, there's not a lot a malicious site could do.
The HTML could still 'phone home' via image links and href links potentially and basically say this site was accessed, but without the ability
to run script code it would be pretty tough
to pass along critical information
to the server beyond that.
Ahhhh… one can dream…
Not holding my breath of course. The design by committee that is the W3C can't agree on anything in timeframes measured less than decades, but maybe this is one place where browser vendors can actually step up the pressure. This is something in their best interest
to reduce the attack surface for vulnerabilities on their browser platforms significantly.
Several people commented on Twitter today that there isn't enough discussion on issues like this that address serious needs in the web browser space. Realistically security has
to be a number one concern with Web applications in general - there isn't a Web app out there that is not vulnerable. And yet nothing has been done
to address these security issues even though there might be relatively easy solutions
to make this happen.
It'll take time, and it's probably not going
to happen in our lifetime, but maybe this rambling thought sparks some ideas on how this sort of restriction can get into browsers in some way in the future.© Rick Strahl, West Wind Technologies, 2005-2012Posted in ASP.NET HTML5 HTML Security
Tweet
!function(d,s,id){var js,fjs=d.getElementsByTagName(s)[0];if(!d.getElementById(id)){js=d.createElement(s);js.id=id;js.src="//platform.twitter.com/widgets.js";fjs.parentNode.insertBefore(js,fjs);}}(document,"script","twitter-wjs");
(function() {
var po = document.createElement('script'); po.type = 'text/javascript'; po.async = true;
po.src = 'https://apis.google.com/js/plusone.js';
var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(po, s);
})();
