Comments on: toStaticHTML: Sanitize your HTML in IE 8 http://ajaxian.com/archives/tostatichtml-sanitize-your-html-in-ie-8 Cleaning up the web with Ajax Thu, 17 May 2012 07:43:39 +0000 hourly 1 http://wordpress.org/?v=3.3.2 By: gonchuki http://ajaxian.com/archives/tostatichtml-sanitize-your-html-in-ie-8/comment-page-1#comment-267595 gonchuki Tue, 23 Sep 2008 01:57:34 +0000 http://ajaxian.com/?p=4307#comment-267595 @pmontrasio: you are missing the point, having that function in JS is completely useless. User input should be sanitized upon submission in server-side, so everything that hits the DB is already sanitized and cleared for safe outputting. @pmontrasio:
you are missing the point, having that function in JS is completely useless. User input should be sanitized upon submission in server-side, so everything that hits the DB is already sanitized and cleared for safe outputting.

]]> By: pmontrasio http://ajaxian.com/archives/tostatichtml-sanitize-your-html-in-ie-8/comment-page-1#comment-267170 pmontrasio Wed, 03 Sep 2008 16:25:14 +0000 http://ajaxian.com/?p=4307#comment-267170 Because maybe you have a site like Ajaxian where people can type in comments like I'm doing. If you don't sanitize input you might end up serving rogue HTML created by some attacker which does a lot of nasty things to the browsers of your visitors and their PCs. Because maybe you have a site like Ajaxian where people can type in comments like I’m doing. If you don’t sanitize input you might end up serving rogue HTML created by some attacker which does a lot of nasty things to the browsers of your visitors and their PCs.

]]> By: wwwmarty http://ajaxian.com/archives/tostatichtml-sanitize-your-html-in-ie-8/comment-page-1#comment-267161 wwwmarty Wed, 03 Sep 2008 15:28:15 +0000 http://ajaxian.com/?p=4307#comment-267161 Why would I need this? Why would I need this?

]]> By: Jerome http://ajaxian.com/archives/tostatichtml-sanitize-your-html-in-ie-8/comment-page-1#comment-267148 Jerome Wed, 03 Sep 2008 11:03:28 +0000 http://ajaxian.com/?p=4307#comment-267148 Yeah, I'm convinced now that proper parsing and whitelisting of tags and their attributes is the only way you stand a chance. Yeah, I’m convinced now that proper parsing and whitelisting of tags and their attributes is the only way you stand a chance.

]]> By: nate http://ajaxian.com/archives/tostatichtml-sanitize-your-html-in-ie-8/comment-page-1#comment-267142 nate Wed, 03 Sep 2008 05:43:20 +0000 http://ajaxian.com/?p=4307#comment-267142 Sigh, my first post and already hit by escaping issues. <code>s/</</g</code>, nate. The second snippet (which turned into a link labeled "test") was supposed to read: <code><a href="javascript:alert('ok');">test</a></code> Sigh, my first post and already hit by escaping issues. s/</&lt;/g, nate. The second snippet (which turned into a link labeled “test”) was supposed to read:

<a href="javascript:alert('ok');">test</a>

]]> By: nate http://ajaxian.com/archives/tostatichtml-sanitize-your-html-in-ie-8/comment-page-1#comment-267141 nate Wed, 03 Sep 2008 05:40:55 +0000 http://ajaxian.com/?p=4307#comment-267141 It is important to know that it is extremely difficult (if not nearly impossible) to sanitize all scripts out of a string using regexes (especially with those as simple as posted here). The only way to properly do this would be to parse and tokenize the HTML. You can't generalize that "on___" means javascript; you need to know the context in which the "on___" is found. Take the following example regex provided by Jerome above: <code>/<script[\s\S]+?|(]+)\son\w+=(['"])[\s\S]+?\2/gi</code> Apply that regex to the following 2 sample snippets: <code><input type="text" value=" only='text' " /></code> <code><a href="javascript:alert('ok');">test</a></code> The first should not be affected by sanitation, but will be due to the value of the "value" attribute. The second one makes it through sanitation when it obviously shouldn't (though I am unaware if this IE8 function will remove javascript:-prefixed URIs?). If you attempt to hack HTML sanitation with regexes, you are going to forget to plug at least one hole and someone is bound to find and exploit it. At one time or another every developer seems to get it in their head that they "know what they're doing" with regards to sanitizing HTML of malicious tags. So far I haven't seen a single, simple regex solution that hasn't been an utterly insecure hack. It is important to know that it is extremely difficult (if not nearly impossible) to sanitize all scripts out of a string using regexes (especially with those as simple as posted here).

The only way to properly do this would be to parse and tokenize the HTML. You can’t generalize that “on___” means javascript; you need to know the context in which the “on___” is found. Take the following example regex provided by Jerome above:

/<script[\s\S]+?|(]+)\son\w+=(['"])[\s\S]+?\2/gi

Apply that regex to the following 2 sample snippets:

<input type="text" value=" only='text' " />
<a href="javascript:alert('ok');">test</a>

The first should not be affected by sanitation, but will be due to the value of the “value” attribute. The second one makes it through sanitation when it obviously shouldn’t (though I am unaware if this IE8 function will remove javascript:-prefixed URIs?).

If you attempt to hack HTML sanitation with regexes, you are going to forget to plug at least one hole and someone is bound to find and exploit it. At one time or another every developer seems to get it in their head that they “know what they’re doing” with regards to sanitizing HTML of malicious tags. So far I haven’t seen a single, simple regex solution that hasn’t been an utterly insecure hack.

]]> By: savetheclocktower http://ajaxian.com/archives/tostatichtml-sanitize-your-html-in-ie-8/comment-page-1#comment-267125 savetheclocktower Tue, 02 Sep 2008 22:40:32 +0000 http://ajaxian.com/?p=4307#comment-267125 Why on earth is this a global method? Why not make it an instance method (or even a static method) on String? It'd be a proprietary augmentation of String, yes, but is that any worse than encroaching on window? Why on earth is this a global method? Why not make it an instance method (or even a static method) on String? It’d be a proprietary augmentation of String, yes, but is that any worse than encroaching on window?

]]> By: jeromew http://ajaxian.com/archives/tostatichtml-sanitize-your-html-in-ie-8/comment-page-1#comment-267119 jeromew Tue, 02 Sep 2008 21:07:11 +0000 http://ajaxian.com/?p=4307#comment-267119 This makes for interesting reading: http://refactormycode.com/codes/333-sanitize-html This makes for interesting reading: http://refactormycode.com/codes/333-sanitize-html

]]> By: jeromew http://ajaxian.com/archives/tostatichtml-sanitize-your-html-in-ie-8/comment-page-1#comment-267115 jeromew Tue, 02 Sep 2008 20:47:11 +0000 http://ajaxian.com/?p=4307#comment-267115 @genericallyloud - I'd actually say that the browser is often the worst candidate for sanitization. i.e. if you're sending back data to the server and expecting it to have been sanitized by the browser you're in for a world of hurt. . Fair comment about the simplistic regex though :) I'd be interested to hear about ways to work around it. . e.g. - the regex currently expects the onXXX value to be surrounded by [double]quotes - need to match and remove: href="javascript:xxx" - need to match and remove: behaviour: xxx in a <style> tag - other things...? @genericallyloud – I’d actually say that the browser is often the worst candidate for sanitization. i.e. if you’re sending back data to the server and expecting it to have been sanitized by the browser you’re in for a world of hurt.
.
Fair comment about the simplistic regex though :) I’d be interested to hear about ways to work around it.
.
e.g.
- the regex currently expects the onXXX value to be surrounded by [double]quotes
- need to match and remove: href=”javascript:xxx”
- need to match and remove: behaviour: xxx in a <style> tag
- other things…?

]]> By: genericallyloud http://ajaxian.com/archives/tostatichtml-sanitize-your-html-in-ie-8/comment-page-1#comment-267112 genericallyloud Tue, 02 Sep 2008 20:06:50 +0000 http://ajaxian.com/?p=4307#comment-267112 @Morgan - seriously? Not that its a perfect solution, but html sanitization is a real problem. As Jerome has just clearly demonstrated, html sanitization efforts are often done poorly (sorry Jerome, but thats a very simplistic solution). There are so many crazy ways for people to get script code into html and cause XSS attacks. This is because of how loose the browser can be in allowing scripts in. Who better to sanitize than a browser?! @Morgan – seriously? Not that its a perfect solution, but html sanitization is a real problem. As Jerome has just clearly demonstrated, html sanitization efforts are often done poorly (sorry Jerome, but thats a very simplistic solution). There are so many crazy ways for people to get script code into html and cause XSS attacks. This is because of how loose the browser can be in allowing scripts in. Who better to sanitize than a browser?!

]]> By: MorganRoderick http://ajaxian.com/archives/tostatichtml-sanitize-your-html-in-ie-8/comment-page-1#comment-267104 MorganRoderick Tue, 02 Sep 2008 18:20:44 +0000 http://ajaxian.com/?p=4307#comment-267104 Clearly MS has not learnt any lessons from past endeavours, and are still creating needless and proprietary extensions to their browser. All in a time where all their focus should be on catching up to the rest of the markets support for existing web standards. Practical as the single function may be, it just helps to further delay the demise of IE6. Clearly MS has not learnt any lessons from past endeavours, and are still creating needless and proprietary extensions to their browser.

All in a time where all their focus should be on catching up to the rest of the markets support for existing web standards.

Practical as the single function may be, it just helps to further delay the demise of IE6.

]]> By: Rumble http://ajaxian.com/archives/tostatichtml-sanitize-your-html-in-ie-8/comment-page-1#comment-267103 Rumble Tue, 02 Sep 2008 18:16:24 +0000 http://ajaxian.com/?p=4307#comment-267103 I wonder if this will also clean up some of the terrible mark up generated by Microsoft Office? I recently had a bash at writing an HTML sanitizer/clean up in Javascript, using RegExes to check against a white list of allowed tags and attributes. The result works OK, but was a bit slow and could probably do with some optimization love, must get around to sharing the code online soon, as it totally pwnd Office's dodgy HTML and I'm sure others would find it useful too. I wonder if this will also clean up some of the terrible mark up generated by Microsoft Office?

I recently had a bash at writing an HTML sanitizer/clean up in Javascript, using RegExes to check against a white list of allowed tags and attributes.

The result works OK, but was a bit slow and could probably do with some optimization love, must get around to sharing the code online soon, as it totally pwnd Office’s dodgy HTML and I’m sure others would find it useful too.

]]> By: Jerome http://ajaxian.com/archives/tostatichtml-sanitize-your-html-in-ie-8/comment-page-1#comment-267101 Jerome Tue, 02 Sep 2008 17:01:32 +0000 http://ajaxian.com/?p=4307#comment-267101 OK, so I'm really sorry for spamming this article. Last try - I hope this helps someone. This should work: . if (typeof toStaticHTML == "undefined") { toStaticHTML = function(inputHtml) { return inputHtml.replace(/<script[\s\S]+?<\/script>|(<[^>]+)\son\w+=(['"])[\s\S]+?\2/gi, "$1"); } } OK, so I’m really sorry for spamming this article. Last try – I hope this helps someone. This should work:
.
if (typeof toStaticHTML == "undefined") {
toStaticHTML = function(inputHtml) {
return inputHtml.replace(/<script[\s\S]+?<\/script>|(<[^>]+)\son\w+=(['"])[\s\S]+?\2/gi, "$1");
}
}

]]> By: Jerome http://ajaxian.com/archives/tostatichtml-sanitize-your-html-in-ie-8/comment-page-1#comment-267100 Jerome Tue, 02 Sep 2008 16:29:52 +0000 http://ajaxian.com/?p=4307#comment-267100 Triple oops. That's only going to work in .NET or some other language that supports look-behinds. I'll get my coat. Triple oops. That’s only going to work in .NET or some other language that supports look-behinds. I’ll get my coat.

]]> By: Jerome http://ajaxian.com/archives/tostatichtml-sanitize-your-html-in-ie-8/comment-page-1#comment-267098 Jerome Tue, 02 Sep 2008 16:14:04 +0000 http://ajaxian.com/?p=4307#comment-267098 Double oops. Should have HTML encoded before posting: . <script[\s\S]+?</script>|(?<=<[^>]+)\son\w+=(['"])[\s\S]+?\1 Double oops. Should have HTML encoded before posting:
.
<script[\s\S]+?</script>|(?<=<[^>]+)\son\w+=(['"])[\s\S]+?\1

]]> By: Jerome http://ajaxian.com/archives/tostatichtml-sanitize-your-html-in-ie-8/comment-page-1#comment-267096 Jerome Tue, 02 Sep 2008 16:09:26 +0000 http://ajaxian.com/?p=4307#comment-267096 Oops. To be clear: use the regex to replace() with empty string. Oops. To be clear: use the regex to replace() with empty string.

]]> By: Jerome http://ajaxian.com/archives/tostatichtml-sanitize-your-html-in-ie-8/comment-page-1#comment-267095 Jerome Tue, 02 Sep 2008 16:07:07 +0000 http://ajaxian.com/?p=4307#comment-267095 This regular expression should do something similar: . <script[\s\S]+?|(?<=]+)\son\w+=(['"])[\s\S]+?\1 . I just knocked it up and ran a quick test on the example above though, so possibly not production quality :) This regular expression should do something similar:
.
<script[\s\S]+?|(?<=]+)\son\w+=(['"])[\s\S]+?\1
.
I just knocked it up and ran a quick test on the example above though, so possibly not production quality :)

]]> By: Nosredna http://ajaxian.com/archives/tostatichtml-sanitize-your-html-in-ie-8/comment-page-1#comment-267090 Nosredna Tue, 02 Sep 2008 14:31:48 +0000 http://ajaxian.com/?p=4307#comment-267090 Anyone have a solid JavaScript version of this? Anyone have a solid JavaScript version of this?

]]> By: genericallyloud http://ajaxian.com/archives/tostatichtml-sanitize-your-html-in-ie-8/comment-page-1#comment-267089 genericallyloud Tue, 02 Sep 2008 14:07:18 +0000 http://ajaxian.com/?p=4307#comment-267089 Can we get this function for text inputs? Can we get this function for text inputs?

]]>