http://www.perlmonks.org?node_id=166560

osfameron has asked for the wisdom of the Perl Monks concerning the following question:

After I read the recent post about Cross Site Scripting attacks, I sat down and wrote an HTML filter to make user-submitted HTML safe (using HTML::Parser). Then I read some more posts, and followed some links (I particularly liked this one) and then got scared.

You can call malicious code from an <IMG> tag??!! And even stranger, from a <STYLE> tag... (well, I thought it was strange, because STYLE is for, um, formatting, not for running code, but of course this allows for dynamically generated styles).

So, for plain HTML, I think I now know what I can do: I will add the necessary filtering ability to my self-rolled version, test it against the exploits listed in the various articles, and if it doesn't come up to scratch, I'll use HTML::TagFilter as recommended by some (Hell, I'll maybe use that anyway, but this is the first time I've been able to get HTML::Parser to do anything useful, so I'm enjoying reinventing this wheel...)

But if I want users to be able to submit their own Stylesheets, how do I parse the CSS entry to make sure they aren't adding malicious code? Can I just filter out @ and expression()? Surely there must be a pre-rolled solution? (I found CSS::SAC which looks like a CSS parser, but didn't seem to have any documentation on how to use it for this kind of eventuality.

I think that one suggestion involved creating a user interface to limit what CSS is entered, which I don't want to have to do if I can avoid it!!

Cheerio!
Osfameron
http://osfameron.perlmonk.org/chickenman/