whitelists for secure HTML

Posted on September 9, 2006 by Paul Querna

Microsoft’s RSS Team comments on all the security stuff:

Sanitization: First, the Windows RSS Platform uses several techniques to strip out script (and several other variations of malicious HTML) before storing the feed content.

Great, except, uhm, its a horrible plan. The only way to really sanitize HTML input is to rebuild it into a DOM, and apply a whitelist of allowed HTML tags and attributes. Once that is done, re-render the DOM. All ‘strip’ techniques will fail, sooner or later.

This entry was posted in Uncategorized. Bookmark the permalink.

One Response to whitelists for secure HTML

  1. s says:
    September 10, 2006 at 11:58 am

    Our use Atom… ;)

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>