Diane Trout (alienghic) wrote,
Diane Trout

Protecting against XSS

I wanted a module to strip out potential XSS injections.

I looked at the set of allowed HTML on the LJ post and was came up with this idea.

use BeautifulSoup to parse the submitted html, remove all tags that aren't in a safe html whitelist. And then for img & a tags process the url and require they start with an allowed set of protocols. The main downside is that <img src=/foo.png/> wont work. you have to list the http:

This seems like a good method for sanitizing user input while allowing some html -- but how can you really know you're protecting against all the possible ways to inject a hostile payload. There's some really funky techniques for tricking the browser at http://ha.ckers.org/xss.html

from BeautifulSoup import BeautifulSoup, Tag
import urlparse

SAFE_HTML = set(['a','img',
SAFE_URL_SCHEME = set(['ftp', 'gopher', 'http', 'https', 'mailto', 
                       'svn', 'svn+ssh'])

def pasturize_html(body):
    soup = BeautifulSoup(body)
    return unicode(soup)

def pasturize_soup_contents(contents):
    for element in contents:
        if isinstance(element, Tag):
            if element.next is not None:
            name = element.name.lower()
            if name == 'a':
                href = pasturize_url(element.get('href'))
                if href is not None:
                    element['href'] = href
            elif name == 'img':
                src = pasturize_url(element.get('src'))
                if src is not None:
                    element['src'] = src
            elif name not in SAFE_HTML:

def pasturize_url(url):
    if url is None:
        return None
    parts = urlparse.urlparse(url)
    if parts.scheme.lower() not in SAFE_URL_SCHEME:
        return ''
    return urlparse.urlunparse(parts)

body = pasturize_html('''<IMG """><SCRIPT>alert("XSS")</SCRIPT>">''')
assert body == '''<img />">'''

body = pasturize_html('''<IMG SRC="   javascript:alert('XSS');">''')
assert body == '''<img />">'''
Tags: python

  • Guild Wars 2

    I started playing Guild Wars 2, and am happy their questing system has broken with WoW's current quest design. As WoW grew they "simplified" and…

  • calendar.

    Its been a really long time since I tried to write. I keep meaning to roll my own blog software, but there's so many other things I should be doing.…

  • Building debian packages for mozilla's sync server

    I'm surprised this seems to have gotten valid debian packages with a minimum of fuss for a package where I couldn't find a recommended release…

  • Post a new comment


    Anonymous comments are disabled in this journal

    default userpic

    Your reply will be screened

    Your IP address will be recorded