Quarantining crap HTML?

Philip Skinner me at philip-skinner.co.uk
Thu May 23 08:09:29 BST 2013


On 05/22/2013 07:53 PM, David Dorward wrote:
> On 22 May 2013, at 16:29, DAVID HODGKINSON wrote:
>
>> On 21 May 2013, at 13:14, Philip Skinner <me at philip-skinner.co.uk> 
>> wrote:
>>> You can specify the content of an iframe using a javascript call in 
>>> the src:
>>> <iframe src="javascript:'<html><body><b>hurrah, another 
>>> iframe</b></body></html>';"></iframe>
>
>> Upon sleeping on it, this was the direction I was headed in.
>>
>> The problem is the HTML is user-generated and we know where that
>> leads.
>
> If I were using that approach, I'd host the HTML on a different domain 
> (to use the Same Origin Policy to protect my site against JS attacks 
> from the HTML) and cover it with anti-evil HTTP headers (to stop 
> people including frame buster scripts).
>
> http://tools.ietf.org/html/draft-ietf-websec-x-frame-options-00
>
> (Not that that would be the first approach I'd consider, I'd tend 
> towards parsing the HTML, running it through a whitelist to determine 
> what attributes were acceptable or not and then spitting out something 
> valid and non-evil though.)
>
Plus remember to set a restrictive P3P policy on the domain/subdomain 
hosting that stuff.


More information about the london.pm mailing list