search

paradoxxxzero / butterfly

A web terminal based on websocket and tornado
http://paradoxxxzero.github.io/2014/02/28/butterfly.html
Other
2.9k stars 309 forks source link

Reintroduce the raw html feature securized #22

Open paradoxxxzero opened 10 years ago

paradoxxxzero commented 10 years ago

Use a good script stripping method to clean the inserted html to avoid mailicious script injection.

http://stackoverflow.com/questions/6659351/removing-all-script-tags-from-html-with-js-regular-expression and https://github.com/LiftoffSoftware/htmltag/blob/master/htmltag.py#L186

could be a start.

paradoxxxzero commented 10 years ago

Following to a discussion with GateOne developer, this should be reintroduced as a DCS control rather than dirty OSC99 hack. The escape format will be:

\x90;TYPE|CONTENT\x9c

Where TYPE here will be HTML and content the raw html to be stripped.

paultag commented 10 years ago

Ftr my example svg had no script tags On Mar 7, 2014 4:20 AM, "Mounier Florian" notifications@github.com wrote:

Following to a discussion with GateOne developer, this should be reintroduced as a DCS control rather than dirty OSC99 hack. The escape format will be:

\x90;TYPE|CONTENT\x9c

Where TYPE here will be HTML and content the raw html to be stripped.

Reply to this email directly or view it on GitHubhttps://github.com/paradoxxxzero/butterfly/issues/22#issuecomment-36979996 .

paradoxxxzero commented 10 years ago

Yes, all on* attributes must be removed too. I was wondering, maybe using an embed tag with a data url should be enough to prevent any exploit ?