[mod-security-users] whitelisting XSS/HTML-injection defense

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

I've read the portion of the doc that covers XSS, i.e.

<Location /cms/article-update.php>
SecFilterInheritance Off
# other filters here ...
SecFilterSelective "ARGS|!ARG_body" "<.+>"
</Location>

What I would like to know is if anyone has gotten more sophisticated with XSS
defense and tried to whitelist certain tags.  I'm trying to set up a policy
that will allow a few harmless tags (let's say, for argument's sake, that <B>
and <PRE> are considered harmless) but not others.  This has proven to be quite
a challenge.  So far, I've come up with:

SecFilterSelective "ARGS|!ARG_blog-text" "<.+>" id:1501
SecFilterSelective "ARG_blog-text" "<" chain,id:1502
SecFilterSelective "ARG_blog-text" "!<([Bb]|[Pp][Rr][Ee])([ >])" id:1503
SecFilterForceByteRange 9 126

But this (needless to say) doesn't work because a QUERY_STRING that has

blog-text=Abc+def+<B>

will still find the "Abc+def" matching <([Bb]|[Pp][Rr][Ee])([ >]) and be
blocked by the filter.  Has anyone come up with a clever way to whitelist input
this way?  I'm going to keep trying but I'm feeling close-to-stumped right now
:-)

Erick.

__________________________________ 
Yahoo! Mail - PC Magazine Editors' Choice 2005 
http://mail.yahoo.com