If you want to go deeper, check out the OWASP AntiSamy project:
http://www.owasp.org/index.php/AntiSamy

"Technically, it is an API for ensuring user-supplied HTML/CSS is in compliance within an application's rules." There are sample policy files for different levels of acceptance that, while not directly applicable, may be useful.

Stephen

On Thu, Jul 31, 2008 at 5:42 AM, Ryan Barnett <Ryan.Barnett@breach.com> wrote:
Johnny,
You have a few different options however since I don't have access to a
Joomla install I am not sure of the best approach.  My understanding is
that Joomla allows people to do some html editing, which is a very
difficult issue to handle when attempting to block XSS attacks with
negative security rules.

1) The "Easy to do but bad for security" approach is to simply disable
that rule globally -

SecRuleRemoveById 950004

2) The better approach is to disable the rule only for that one
particular URL location -

SecRule REQUEST_FILENAME "^/a/" \
"phase:1,t:none,t:urlDecode,t:normalisePathWin,t:lowercase,nolog,ctl:rul
eRemoveById=950004"

3) An even better approach would be to profile the acceptable html
components which are normally used.  For instance, in looking at the
example you sent, would an img src always reference data on the local
Joomla site?  If so, you could probably copy/modify the XSS regex rule
to allow for local site inclusions.

--
Ryan C. Barnett
ModSecurity Community Manager
Breach Security: Director of Application Security
Web Application Security Consortium (WASC) Member
CIS Apache Benchmark Project Lead
SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC
Author: Preventing Web Attacks with Apache

> -----Original Message-----
> From: mod-security-users-bounces@lists.sourceforge.net [mailto:mod-
> security-users-bounces@lists.sourceforge.net] On Behalf Of Johnny
Stork
> Sent: Wednesday, July 30, 2008 5:15 PM
> To: mod-security-users@lists.sourceforge.net
> Subject: [mod-security-users] Problem with Joomla Site Triggering
Alarms
>
> I am running mod_security on my hosting site and one client, with a
> customize Joomla site, keeps triggering the alarm below/ Can anyone
shed
> any light on this, is there a fix, is this a badly behaving site?
>
> GET:
>
>
/a/%3Cimg%20src=%22http://www.photoexpressions.ca/a//images/frontpage/fr
on
> t-page-
> studio.jpg%22%20align=%22left%22%20hspace=%226%22%20alt=%22Image%22%3E
> HTTP/1.1
>
>
>
> MESSAGE:
>
> Access denied with code 500 (phase 2). Pattern match
>
"(?:\\b(?:on(?:(?:mo(?:use(?:o(?:ver|ut)|down|move|up)|ve)|key(?:press|d
ow
>
n|up)|c(?:hange|lick)|s(?:elec|ubmi)t|(?:un)?load|dragdrop|resize|focus|
bl
>
ur)\\b\\W*?=|abort\\b)|(?:l(?:owsrc\\b\\W*?\\b(?:(?:java|vb)script|shell
)|
> ivescript)|(?:href|url)\\b\\W*?
> ..." at REQUEST_FILENAME. [id "950004"] [msg "Cross-site Scripting
(XSS)
> Attack. Matched signature <src=\"http:>"] [severity "CRITICAL"]
>
> --
> Johnny Stork
> Open Enterprise Solutions
> "Empowering Business With Open Solutions"
>
> http://www.openenterprise.ca
>
>
>
------------------------------------------------------------------------
-
> This SF.Net email is sponsored by the Moblin Your Move Developer's
> challenge
> Build the coolest Linux based applications with Moblin SDK & win great
> prizes
> Grand prize is a trip for two to an Open Source event anywhere in the
> world
> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> _______________________________________________
> mod-security-users mailing list
> mod-security-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/mod-security-users

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
mod-security-users mailing list
mod-security-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users