Skip to content

Protecting against the risk of XSS attacks in user-generated content

Web 2.0 means different things according to who you speak to, but one ubiquitous part of the definition is User Created Content (UCC). UCC essentially means giving the tools to create html on your website to someone other than the webmaster. And as soon as you give the keys to the castle to the great unwashed, then the great unwashed are going to try to crap in the moat.

Typically in blogs or discussion boards you will see a form that will allow people to post their comments, which will then be displayed on the page, below the main article. Sometimes you will want people to insert links into their comments, which immediately opens up potential Cross Site Scripting (XSS) vulnerabilities, usually in the form on inline javascript. XSS attacks are usually based around attaching javascript onto an html tag, so that when the visitor clicks on the link, it does something expected. For example redirects them to a phishing site, steals their cookies, or opens a load of pop-up windows.

A very crude attack would go something like this:

<a href="" onclick="'', '_self'); return false;">Click me</a>

Defending against this can be very problematic unless you strip out all tags… However there are a number of libraries that should help , foremost amongst them is HTML Purifier. As an alternative you can allow the use of BBCode to be inserted. BBCode is a simplified markup that lets you insert a basic tag like syntax that is parsed on the server into html tags. TinyMCE has plugin to enable the easy use of BBCodes, so it may be that for applications that let the general public create content, this is the safest route.

This entry was posted in Web Development. Bookmark the permalink.


Sorry, comments are closed on this page.