You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@velocity.apache.org by Manny Holguin <MH...@intersectsoft.com> on 2001/06/01 22:09:50 UTC

Avoiding malicious tags embedded in strings

Hi:

We are developing a web application with Velocity which looks at data in a
database which is entered via a different application.  Recently someone
entered the following text into a string field in the database:

bla bla...<A onClick='while(true){alert("!Ha")}';>Click Me!

Needless to say, this caused a big problem when displayed by our velocity
context object (i.e. $object.field ) and clicked on in our web application.

Unfortunately, we can't simply strip out any HTML anchor tags because it is
valid for users to enter HTML. And we can't disable Javascript because we
need to use it.

While this is not a Velocity-specific problem, I wondered if anyone had any
specific thoughts on the best way to handle this without introducing too
much ugliness or killing performance. 

Also, allow me to say (once again) this list (and this product) is
Excellent!! Keep up the good work.

Manny Holguin
mailto:mholguin@intersectsoft.com

Re: Avoiding malicious tags embedded in strings

Posted by "Geir Magnusson Jr." <ge...@optonline.net>.

Jon Stevens wrote:
> 
> on 6/1/01 3:21 PM, "Jon Stevens" <jo...@latchkey.com> wrote:
> 
> > If you would like to clean this up and contribute it to the Velocity project
> > in the util directory, then that would be GREAT!
> 
> I take that back. Geir would rather see this go into the commons. Maybe send
> the file to Geir instead.
> 

LOL

Just to clarify : what I was thinking is that there are a number of
useful utilities that aren't necessarily Velocity specific that we could
bring together to form a new component of the Jakarta Commons project.  
Then they could be easily shared by all w/o being tied to a specific
Velocity release.

The Jakarta Commons is a Jakarta project chartered as a place for
'standalone' components, utilities, tools, and such.  If you are
unfamiliar with 'the Commons', I urge you to take a look and
participate.

As an example, the MessageResource and related classes were recently
donated by Craig and the Struts project as a nucleus for a package of
utilities for dealing with string resource management and related
issues. 

geir

-- 
Geir Magnusson Jr.                           geirm@optonline.net
System and Software Consulting
Developing for the web?  See http://jakarta.apache.org/velocity/
You have a genius for suggesting things I've come a cropper with!

Re: Avoiding malicious tags embedded in strings

Posted by Jon Stevens <jo...@latchkey.com>.

on 6/1/01 3:21 PM, "Jon Stevens" <jo...@latchkey.com> wrote:

> If you would like to clean this up and contribute it to the Velocity project
> in the util directory, then that would be GREAT!

I take that back. Geir would rather see this go into the commons. Maybe send
the file to Geir instead.

-jon

-- 
"Open source is not available to commercial companies."
            -Steve Balmer, CEO Microsoft
<http://www.suntimes.com/output/tech/cst-fin-micro01.html>

Re: Avoiding malicious tags embedded in strings

Posted by Jon Stevens <jo...@latchkey.com>.

on 6/1/01 1:09 PM, "Manny Holguin" <MH...@intersectsoft.com> wrote:

> Hi:
> 
> We are developing a web application with Velocity which looks at data in a
> database which is entered via a different application.  Recently someone
> entered the following text into a string field in the database:
> 
> bla bla...<A onClick='while(true){alert("!Ha")}';>Click Me!

The full summary of this is called the "Cross Site Scripting Bug" and is
well documented as a CERT advisory.

> Needless to say, this caused a big problem when displayed by our velocity
> context object (i.e. $object.field ) and clicked on in our web application.
> 
> Unfortunately, we can't simply strip out any HTML anchor tags because it is
> valid for users to enter HTML. And we can't disable Javascript because we
> need to use it.

The problem isn't Javascript and it also isn't the Anchor tag.

The problem is that you are trusting the content which is being input into
your application and then re-displayed on a page. One could substitute the
above example with "intersectsoft.com sucks balls" and it would be just as
bad for you. :-)

> While this is not a Velocity-specific problem, I wondered if anyone had any
> specific thoughts on the best way to handle this without introducing too
> much ugliness or killing performance.

The "right solution " is too simply do this:

When someone inputs strings which may be re-displayed on your page, all you
need to do is strip out any HTML code (and attributes) that isn't listed in
the "allowed" set of information. This class isn't perfect, but is a good
start for what you need...

<http://joist.tigris.org/source/browse/joist/java/org/joist/util/TagValidato
r.java?rev=1.11&content-type=text/x-cvsweb-markup>

If you would like to clean this up and contribute it to the Velocity project
in the util directory, then that would be GREAT!

-jon

-- 
"Open source is not available to commercial companies."
            -Steve Balmer, CEO Microsoft
<http://www.suntimes.com/output/tech/cst-fin-micro01.html>