Diane Trout (alienghic) wrote,
Diane Trout
alienghic

Protecting against XSS

I wanted a module to strip out potential XSS injections.

I looked at the set of allowed HTML on the LJ post and was came up with this idea.

use BeautifulSoup to parse the submitted html, remove all tags that aren't in a safe html whitelist. And then for img & a tags process the url and require they start with an allowed set of protocols. The main downside is that <img src=/foo.png/> wont work. you have to list the http:

This seems like a good method for sanitizing user input while allowing some html -- but how can you really know you're protecting against all the possible ways to inject a hostile payload. There's some really funky techniques for tricking the browser at http://ha.ckers.org/xss.html

from BeautifulSoup import BeautifulSoup, Tag
import urlparse

SAFE_HTML = set(['a','img',
                 'b','big','blockquote','br',
                 'center','cite','code',
                 'dd','div','dl','dt',
                 'em','font','h1','h2','h3','hr',
                 'i','input',
                 'li','nobr','ol','option','p','pre',
                 's','small','span','strike','strong','sub','sup',
                 'table','td','th','tr','tt','u','ul'])
SAFE_URL_SCHEME = set(['ftp', 'gopher', 'http', 'https', 'mailto', 
                       'svn', 'svn+ssh'])

def pasturize_html(body):
    soup = BeautifulSoup(body)
    pasturize_soup_contents(soup)
    return unicode(soup)

def pasturize_soup_contents(contents):
    for element in contents:
        if isinstance(element, Tag):
            if element.next is not None:
                pasturize_soup_contents(element)
            name = element.name.lower()
            if name == 'a':
                href = pasturize_url(element.get('href'))
                if href is not None:
                    element['href'] = href
            elif name == 'img':
                src = pasturize_url(element.get('src'))
                if src is not None:
                    element['src'] = src
            elif name not in SAFE_HTML:
                element.replaceWith('')

def pasturize_url(url):
    if url is None:
        return None
    
    parts = urlparse.urlparse(url)
    if parts.scheme.lower() not in SAFE_URL_SCHEME:
        return ''
    return urlparse.urlunparse(parts)
    

body = pasturize_html('''<IMG """><SCRIPT>alert("XSS")</SCRIPT>">''')
assert body == '''<img />">'''

body = pasturize_html('''<IMG SRC="   javascript:alert('XSS');">''')
assert body == '''<img />">'''
Tags: python
Subscribe

  • RDF modeling with Python

    I've been trying to figure out how to get an RDF model with inference working as that's one more step toward creating intelligence assistance…

  • SciPy 2008

    I spent thursday, friday, and part of saturday at SciPy. I had no idea what UFuncs were for. Several projects are switching to a new python…

  • hacking setuptools to compile pyrex modules on OS X

    I was trying to install rdflib 2.4 on an OS X 10.5 machine and got the error message File…

  • Post a new comment

    Error

    Anonymous comments are disabled in this journal

    default userpic

    Your reply will be screened

    Your IP address will be recorded 

  • 2 comments