Encoding malicious code instead of removing it #298
Comments
|
Please provide an example where it is not working as expected. |
|
Hi @csware , suppose a string is imported into an application and suppose we can't know if it will be used as inner HTML, as f.e. formatted text, or as a data string. Suppose first to secure the text before it gets displayed we always sanitize it. But if that text is given as f.e.
then with no appropriate policy, the string
might reach the view and text is missing we might want to be displayed. On the other hand, if I just encode every string that is imported and one such string is a formatted text (with some p tags in it or some list tags, or some b tags etc.) which is used as inner HTML, then I loose the possibility of formatted text. My question would be if it is possible to secure a text where it is not clear if it will be used as a data string or as inner HTML. I hope this makes it a little bit clearer ;) |
|
I suppose this could be achieved using a preprocessor. However, the input is not correctly encoded. If |
|
Hi, @bmscodespace |
Hi,
is it possible to build a policy that, instead of removing problematic parts of a html string, just encodes those parts in such a way that they can do no harm when the string is used in a html-page?
So
<script>alert`1`</script>would then be replaced by something like
<script>alert`1`</script>.Thank you for any answer ;)
p.s. the idea behind my question is that I would like to use a policy that does not know if it deals with a string that will be used as inner html or as an "ordinary text field" with no html but where we could read a text about the "<script>" tag. If malicious code is removed by the sanitizer, then this could destroy "ordinary text". On the other hand, if I would use output encoding on my string I would loose text formatting in the case of inner html.
The text was updated successfully, but these errors were encountered: