StackOverflow2013

Note that there are some explanatory texts on larger screens.

plurals

POWriting XSS Filter for (X)HTML Based on White List
text
Body
copied!<p>I need to implement a simple and efficient XSS Filter in C++ for <a href="http://cppcms.sourceforge.net" rel="nofollow noreferrer">CppCMS</a>. I can't use existing high quality filters written in PHP because because it is high performance framework that uses C++.</p> <p>The basic idea is provide a filter that have a while list of HTML tags and a white list of options for these tags. For example. typical HTML input can consist of <code><b></code>, <code><i></code>, tags and <code><a></code> tag with <code>href</code>. But straightforward implementation is not good enough, because, even allowed simple links may include XSS:</p> <pre><code><a href="javascript:alert('XSS')">Click On Me</a> </code></pre> <p>There are many other examples can be found <a href="http://ha.ckers.org/xss.html" rel="nofollow noreferrer">there</a>. So I though also about a possibility to create a white list of prefixes for tags like href/src -- so I always need to check if it starts with <code>(https?|ftp)://</code></p> <p><strong>Questions:</strong></p> <ul> <li>Are these assumptions are good enough for most of purposes? Meaning that If I do not give an options for <code>style</code> tags and check src/href using white list of prefixes it solves XSS problems? Are there problems that can't be fixes this way?</li> <li>Is there a good reference for formal grammar of HTML/XHTML in order to write simple parser that would cleanup all incorrect of forbidden tags like <code><script></code></li> </ul>

Querying!

Guidance

An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload