Our legacy application was originally designed to store any html tags for custom pages. The idea of ββsuch pages is to store any html that clients need, and then at some point it is possible to display this html data.
This approach allowed users to store any XSS. Our current task is to identify and enforce policies that prevent XSS from being stored.
We looked at several approaches that sanitazize html can do based on some predefined rules:
But both approaches are based on reorganization, not on validation. Thus, the base scenario might look like this:
- User enters some data to enter
- User input is sanitazed and checked for equality using user input raw (initial step 1).
- In the event that any difference does not confirm the validation statement.
This approach works for new data. In the case of outdated data, we would have several problems:
- If the userβs inherited data contains forbidden elements, the user will not be able to save a slightly modified version of the html content.
- The following thread will confuse the user:
- User edits outdated data containing forbidden tags / content for new policy.
- The user replaces all content and saves it.
- The user for some reason decides to return to the old version
- The user is not allowed to save the previous version because it contains forbidden tags / content.
The following questions will appear:
- What is the best way to validate user input for malicious html elements and XSS vectors?
- What approach can be used to eliminate the mentioned problems with outdated data?
source share