Wes Gamble
2006-Apr-18 19:57 UTC
[Rails] Security considerations with displaying uploaded HTML
I have an application where I am allowing users to upload (or refer the app. to) arbritrary HTML that I am (currently) displaying in an IFRAME on a page. The users will be authenticated so it''s not open to the entire universe. I was always uneasy with this, but after reading the security chapter of AWDWR, I am even more concerned. What kinds of applications do people have out there that provide snippets of HTML that could be user provided? I saw something in AWDWR about sanitize() - any comments/advice on that? One thing I''m considering is rendering it on the server side and providing an image of the rendered to the user - then I only have to worry about being compromised on my server instead of worrying about XSS attacks. Does that make sense? Any thoughts or advice is appreciated. Wes -- Posted via http://www.ruby-forum.com/.
Douglas Livingstone
2006-Apr-18 20:50 UTC
[Rails] Security considerations with displaying uploaded HTML
2006/4/18, Wes Gamble <weyus@att.net>:> > One thing I''m considering is rendering it on the server side and > providing an image of the rendered to the user - then I only have to > worry about being compromised on my server instead of worrying about XSS > attacks. Does that make sense? >Personally I''d be more worried about the server being compromised than XSS, so I wouldn''t consider that an option.> I have an application where I am allowing users to upload (or refer the > app. to) arbritrary HTML that I am (currently) displaying in an IFRAME > on a page. The users will be authenticated so it''s not open to the > entire universe.Most HTML and CSS shouldn''t be able to affect you outside the IFRAME. I''d remove all meta, link and script tags. The main worry would be JavaScript, so also get rid of on*="" attributes, and probably filter hyperlinks which start with the javascript: protocall too... which come to think of it is what sanitize() does (except for the meta tags, I''d try and protect against a stupid meta-refresh too). If you serve the content of the IFRAME from a different domain that should trigger more security from the browser, which should block most things. hth, Douglas
Wes Gamble
2006-Apr-18 22:16 UTC
[Rails] Re: Security considerations with displaying uploaded HTML
Douglas, Thanks for this. The thing is that I need to be able to "preview" this HTML and show it to the user the way that it would look in a browser. The problem is there are lots of pages now that do things like specify image tags and their contents via Javascript which means that stripping <SCRIPT> tags and/or on* event handlers could potentially hobble the page. Wes Douglas Livingstone wrote:> 2006/4/18, Wes Gamble <weyus@att.net>: >> >> One thing I''m considering is rendering it on the server side and >> providing an image of the rendered to the user - then I only have to >> worry about being compromised on my server instead of worrying about XSS >> attacks. Does that make sense? >> > > Personally I''d be more worried about the server being compromised than > XSS, so I wouldn''t consider that an option. > >> I have an application where I am allowing users to upload (or refer the >> app. to) arbritrary HTML that I am (currently) displaying in an IFRAME >> on a page. The users will be authenticated so it''s not open to the >> entire universe. > > Most HTML and CSS shouldn''t be able to affect you outside the IFRAME. > I''d remove all meta, link and script tags. The main worry would be > JavaScript, so also get rid of on*="" attributes, and probably filter > hyperlinks which start with the javascript: protocall too... which > come to think of it is what sanitize() does (except for the meta tags, > I''d try and protect against a stupid meta-refresh too). > > If you serve the content of the IFRAME from a different domain that > should trigger more security from the browser, which should block most > things. > > hth, > Douglas-- Posted via http://www.ruby-forum.com/.
Douglas Livingstone
2006-Apr-19 02:07 UTC
[Rails] Re: Security considerations with displaying uploaded HTML
2006/4/19, Wes Gamble <weyus@att.net>:> > The problem is there are lots of pages now that do things like specify > image tags and their contents via Javascript which means that stripping > <SCRIPT> tags and/or on* event handlers could potentially hobble the > page. >At least for IE, this might hep then: http://www.microsoft.com/technet/prodtechnol/ie/reskit/6/part2/c04ie6rk.mspx?mfr=true "A content author can create a frame or IFRAME with the "security=restricted" attribute. This attribute puts the contents of the frame or IFRAME, as well as any child frames (initiated by parent frames) that it might contain, in the Restricted sites zone. For example, if the http://a.com/ Web page contains <iframe security=restricted src="http://b.com/"></iframe> and the http://b.com/ Web page contains <iframe src="http://www.microsoft.com/"> </iframe>, both http://b.com/ and http://www.microsoft.com/ will run in the Restricted sites zone. The frame cannot run scripting or ActiveX controls, unless the user changes the default settings for the Restricted sites zone or you used the Internet Explorer Customization Wizard to override the Restricted sites zone settings for the Internet Explorer installation. Also, support for Meta-refresh (a mechanism that allows a Web page to redirect to another Web page on a timer without using script) is disabled in the Restricted sites zone." I''m not sure how much security that gives you, and it will only be for IE, which isn''t exactly known for security, but that might be a help. Try and hack it and see! And hey, it turns off the meta-refresh too :-) Douglas
Wes Gamble
2006-Apr-19 04:24 UTC
[Rails] Re: Re: Security considerations with displaying uploaded HTM
Douglas, Again thanks! I found that right after your last post. I''ll do my best. I''ll try and post any other stuff that I find out. Wes Douglas Livingstone wrote:> 2006/4/19, Wes Gamble <weyus@att.net>: >> >> The problem is there are lots of pages now that do things like specify >> image tags and their contents via Javascript which means that stripping >> <SCRIPT> tags and/or on* event handlers could potentially hobble the >> page. >> > > At least for IE, this might hep then: > > http://www.microsoft.com/technet/prodtechnol/ie/reskit/6/part2/c04ie6rk.mspx?mfr=true > > "A content author can create a frame or IFRAME with the > "security=restricted" attribute. This attribute puts the contents of > the frame or IFRAME, as well as any child frames (initiated by parent > frames) that it might contain, in the Restricted sites zone. For > example, if the http://a.com/ Web page contains <iframe > security=restricted src="http://b.com/"></iframe> and the > http://b.com/ Web page contains <iframe > src="http://www.microsoft.com/"> </iframe>, both http://b.com/ and > http://www.microsoft.com/ will run in the Restricted sites zone. The > frame cannot run scripting or ActiveX controls, unless the user > changes the default settings for the Restricted sites zone or you used > the Internet Explorer Customization Wizard to override the Restricted > sites zone settings for the Internet Explorer installation. Also, > support for Meta-refresh (a mechanism that allows a Web page to > redirect to another Web page on a timer without using script) is > disabled in the Restricted sites zone." > > I''m not sure how much security that gives you, and it will only be for > IE, which isn''t exactly known for security, but that might be a help. > Try and hack it and see! And hey, it turns off the meta-refresh too > :-) > > Douglas-- Posted via http://www.ruby-forum.com/.