Re: [mod-security-users] whitelisting XSS/HTML-injection defense
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] whitelisting XSS/HTML-injection defense
|
From: Ivan R. <iv...@we...> - 2005-10-03 12:26:47
|
Rude Yak wrote: > I've read the portion of the doc that covers XSS, i.e. > > <Location /cms/article-update.php> > SecFilterInheritance Off > # other filters here ... > SecFilterSelective "ARGS|!ARG_body" "<.+>" > </Location> > > What I would like to know is if anyone has gotten more sophisticated with XSS > defense and tried to whitelist certain tags. I'm trying to set up a policy > that will allow a few harmless tags (let's say, for argument's sake, that <B> > and <PRE> are considered harmless) but not others. This has proven to be quite > a challenge. So far, I've come up with: > > SecFilterSelective "ARGS|!ARG_blog-text" "<.+>" id:1501 > SecFilterSelective "ARG_blog-text" "<" chain,id:1502 > SecFilterSelective "ARG_blog-text" "!<([Bb]|[Pp][Rr][Ee])([ >])" id:1503 > SecFilterForceByteRange 9 126 > > But this (needless to say) doesn't work because a QUERY_STRING that has > > blog-text=Abc+def+<B> > > will still find the "Abc+def" matching <([Bb]|[Pp][Rr][Ee])([ >]) and be > blocked by the filter. Has anyone come up with a clever way to whitelist input > this way? I'm going to keep trying but I'm feeling close-to-stumped right now > :-) Brave attempt but I don't think it is possible to reliably whitelist HTML tags using regular expressions only. In this case I think custom programming is the way to go. This is something I want to add to a future ModSecurity release: create a hook to allow custom code to be plugged-in to verify the incoming data. -- Ivan Ristic Apache Security (O'Reilly) - http://www.apachesecurity.net Open source web application firewall - http://www.modsecurity.org |
