8

I'm looking for a simple list of all the html attributes that can contain javascript that will automatically run when an action is performed. I know this will differ between browsers and versions but I'd rather be safer than sorry. I currently know of the following javascript attributes: onload, onclick, onchange, onmouseover, onmouseout, onmousedown, and onmouseup

Backstory: I'm getting a full html document from an untrusted source and I want to strip all javascript that could run from the original html document so I'm removing all script tags as well as any attributes that could hold javascript before its displayed in an iframe. For this implantation there is no server side processing and no way of sandboxing the code since I need to run javascript that is being added locally after all of the original javascript is removed.

Deduplicator
  • 44,692
  • 7
  • 66
  • 118
Scott
  • 3,290
  • 4
  • 29
  • 48

2 Answers2

14

There are two places where Javascript can be used in HTML attributes:

  1. Any onEVENT attribute. I suggest just treating any attribute that begins with on as an event binding, and strip them all out.

  2. Any attribute that can contain a URI will be executed as Javascript if the URI uses the javascript: scheme, such as href and src. A complete list is in

COMPLETE list of HTML tag attributes which have a URL value?

Community
  • 1
  • 1
Barmar
  • 741,623
  • 53
  • 500
  • 612
  • I hadn't though about validating the URI attributes, do you know any good way of doing it in Javascript? – Scott Jan 09 '15 at 11:44
  • 2
    Just check whether the value of the attribute begins with `javascript:`. – Barmar Jan 09 '15 at 16:11
  • Thanks, think I'm still missing some attack vectors in css but its a good start. – Scott Jan 10 '15 at 18:30
  • I think the only place it could appear in CSS would be styles that allow `url(...)` values. So look for `url(javascript:...)`. – Barmar Jan 10 '15 at 18:54
  • Its a bit more complicated https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet#RULE_.234_-_CSS_Escape_And_Strictly_Validate_Before_Inserting_Untrusted_Data_into_HTML_Style_Property_Values But my main problem is how to validate external css files. – Scott Jan 11 '15 at 23:19
  • My understanding is that CSS can't execute JS in standards conformant browsers. Is this incorrect? – DylanYoung Jun 26 '20 at 16:45
  • @DylanYoung See https://stackoverflow.com/questions/476276/using-javascript-in-css – Barmar Jun 26 '20 at 18:30
  • That doesn't answer the question :) – DylanYoung Jun 29 '20 at 15:05
1

http://www.w3.org/TR/html401/interact/scripts.html#h-18.2.3

Scroll down to 18.2.3 Intrinsic events

I've had a similar requirement in a project. Don't forget to strip script elements, as well.

Barmar
  • 741,623
  • 53
  • 500
  • 612
Mark Dickson Jr.
  • 588
  • 4
  • 10
  • 2
    That doesn't include `href="javascript:..."` and `src="javascript:..."` – Barmar Jan 09 '15 at 01:25
  • I though there should be a simple list somewhere but I couldn't find it. Thanks for the link. – Scott Jan 09 '15 at 11:44
  • 1
    Use this as well: https://www.w3.org/TR/html52/webappapis.html#dom-globaleventhandlers-onabort. Otherwise you're going to miss a lot global event handlers. – DylanYoung Jun 26 '20 at 17:12