Letting Off Some Testing Steam

Apr 23, 2003 6:26 PM
Tags: css, html, javascript, programming, security

update Joe H. also informs me that you can have CSS load files that attach malicious script methods to HTML elements. Crappy.

When you are a programmer, it's a constant struggle to let your rational thinking override your emotions: Vigorous testing is your friend, not your enemy.

All things equal, better testing means more bugs that get discovered (and more obscure ones at that). That means more work to get done within a given deadline, and more stress.

So today, I had a nice change of pace. A coworker wanted to test out a live chat page, written in ColdFusion. He allowed HTML tags in the posted questions (e.g. links, formatting), but not <SCRIPT> tags, and thought this would suffice as a way to prevent malicious use of JavaScript.

He was wrong.

There are at least three ways someone could circumvent this:
* Event handlers. Unless you want someone posting pornography, you should disable image tags. In any case, images have a onLoad() event handler. You can put some inline JavaScript there (e.g. location.href='http://www.playboy.com') and as soon as the image loads, the page will redirect. The same principle applies to the onMouseOver() handler, which is used by many more tags.
* JavaScript in links. For any link, the href attribute does not have to be a URL. You can, for example, put something like <a href="javascript:alert('you smell!')">http://www.a_deceiving_link.com</a>
* Layout-breaking tags. These include </TD>, </TR>, </TABLE>, </DIV> and </BODY> and can really mess up your layout if they appear where they weren't intended.
* Browser-specific bugs. This includes the ability to crash IE every time with a simple malformed INPUT tag.

So, you've got a few options:
* allow tags and hope for the best
* somehow strip event handlers without wrecking other attributes
* allow a very limited subset of tags
* disallow tags entirely and use something like Textile

In any case, it was fun to let off some steam, and give a small lesson on security in the process.


Comments: Letting Off Some Testing Steam

yes! thank you, thank you, thank you

Posted by: jaffy on April 23, 2003 8:57 PM | permalink

No more comments! Either someone has violated Godwin's Law, I'm tired of the discussion or, most likely, the ten-week window has closed. You can, however, contact me through email.