10

I'm attempting to use jsoup to sanitize the the html posted from a wysiwyg in my client (tinymce as it happens)

The relaxed mode appears not to be relaxed enough as by default it strips span elements and any style attributes.

eg

String text = "<p style="color: #ff0000;">foobar</p>";

   Jsoup.clean(text, Whitelist.relaxed());

would output

<p>foobar</p>

and 

<span>foobar</span>

would be removed entirely.

Does anyone have any experience of using Jsoup to eradicate the possibility of XSS attacks and still allow the above elements and attributes through?

Edit: I have gone with the following. Could anyone advise on how vulnerable this is?

Jsoup.clean(pitch, Whitelist.relaxed().addTags("span").addAttributes(":all","style"));

Edit 2: Has anybody used the owasp library in production. It looks to correctly sanitize while preserving the correct styling. OWASP

jaseFace
  • 1,415
  • 5
  • 22
  • 34

1 Answers1

7

It seems that it is possible to have XSS using the style attribute..

XSS attacks and style attributes

http://www.thespanner.co.uk/2007/11/26/ultimate-xss-css-injection/

http://www.acunetix.com/websitesecurity/cross-site-scripting.htm (Look at the DIV section, which I would assume works the same for SPAN)

Here is some code I wrote to test the example in the last link..

    text = "<span style=\"width: expression(alert('XSS'));\">";
    System.out.println(Jsoup.clean(text, org.jsoup.safety.Whitelist.relaxed().addTags("span").addAttributes(":all","style")));

It outputs the input exactly. If that is truly an XSS vector, then you could still be in trouble.

Community
  • 1
  • 1
B. Anderson
  • 3,079
  • 25
  • 33
  • Nice detail. Thanks. Do you know of a library or method I can use to test the safety of the contents of the passed style attribute? Otherwise I will have to strip out most of the lovely wysiwyg styling features available through tinymce? – jaseFace Feb 09 '12 at 19:37
  • I have tried the example you gave and jsoup is clever enough to strip out the offending style attribute but allow through a simple style like style="color:red". I'm still left uneasy about it though. – jaseFace Feb 09 '12 at 19:50
  • apologies. Jsoup was not stripping the XSS attack you supplied B. Anderson. It was being stripped by tinymce before publishing (obviously hackable) The owasp sanitizer looks intersting though see my edit in the main section. – jaseFace Feb 09 '12 at 22:43
  • I'm marking this as the correct answer with thanks to B, Anderson. I have not been able to find a solution to correctly sanitize the style attribute server side and have therefore restricted the functionality within tinymce (reluctantly) to a minimum and put the Jsoup Whitelist to basic(). – jaseFace Feb 11 '12 at 19:21