[Owasp-antisamy] black list
Alexander Afonin
alexafonin at yahoo.com
Thu May 14 04:34:51 EDT 2009
Hello,
I compared standard HTML 4.0 (also including XHTML and deprecated tags/attributes) tags/attributes with AntiSamy 1.3 anythinggoes policy. Below are the lists of invalid (not mentioned in the policy or action != validate) tags and invalid attributes (not listed in the global attributes section and not listed in tag sections). I can see why most of these tags/attributes are considered unsafe. However, I was surprised to see some (to my mind harmless) tags/attributes blacklisted. For example, what's wrong with such tags as abbr, acronym, address, bdo, caption, dd, del, dfn, dir, dl, dt, ins, isindex, kbd, menu, q, s, tt?
Why such attributes as dir, lang, xml:lang, summary (table tag), alink vlink background(body tag) are not allowed?
Thanks
Alex
Invalid tags:
abbr, acronym, address, applet, area, base, basefont, bdo, caption, dd, del, dfn, dir, dl, dt, frame, frameset, iframe, ins, isindex, kbd, menu, meta, noframes, object, optgroup, param, q, s, script, title, tt, var
Invalid attributes:
a [accesskey, charset, coords, dir, hreflang, rev, shape, tabindex, target, xml:lang]
b [dir, onclick, ondblclick, onkeydown, onkeypress, onkeyup, onmousedown, onmousemove, onmouseout, onmouseover, onmouseup, xml:lang]
big [dir, onclick, ondblclick, onkeydown, onkeypress, onkeyup, onmousedown, onmousemove, onmouseout, onmouseover, onmouseup, xml:lang]
blockquote [cite, dir, onclick, ondblclick, onkeydown, onkeypress, onkeyup, onmousedown, onmousemove, onmouseout, onmouseover, onmouseup, xml:lang]
body [alink, background, dir, link, text, vlink, xml:lang]
button [dir, tabindex, xml:lang]
center [dir, onclick, ondblclick, onkeydown, onkeypress, onkeyup, onmousedown, onmousemove, onmouseout, onmouseover, onmouseup]
cite [dir, onclick, ondblclick, onkeydown, onkeypress, onkeyup, onmousedown, onmousemove, onmouseout, onmouseover, onmouseup, xml:lang]
code [dir, onclick, ondblclick, onkeydown, onkeypress, onkeyup, onmousedown, onmousemove, onmouseout, onmouseover, onmouseup, xml:lang]
col [dir, onclick, ondblclick, onkeydown, onkeypress, onkeyup, onmousedown, onmousemove, onmouseout, onmouseover, onmouseup, xml:lang]
colgroup [dir, onclick, ondblclick, onkeydown, onkeypress, onkeyup, onmousedown, onmousemove, onmouseout, onmouseover, onmouseup, xml:lang]
div [dir, onclick, ondblclick, onkeydown, onkeypress, onkeyup, onmousedown, onmousemove, onmouseout, onmouseover, onmouseup, xml:lang]
em [dir, onclick, ondblclick, onkeydown, onkeypress, onkeyup, onmousedown, onmousemove, onmouseout, onmouseover, onmouseup, xml:lang]
fieldset [dir, onclick, ondblclick, onkeydown, onkeypress, onkeyup, onmousedown, onmousemove, onmouseout, onmouseover, onmouseup, xml:lang]
font [dir]
form [accept, accept-charset, dir, enctype, onclick, ondblclick, onkeydown, onkeypress, onkeyup, onmousedown, onmousemove, onmouseout, onmouseover, onmouseup, onreset, onsubmit, target, xml:lang]
h1 [align, dir, onclick, ondblclick, onkeydown, onkeypress, onkeyup, onmousedown, onmousemove, onmouseout, onmouseover, onmouseup, xml:lang]
head [dir, profile, xml:lang]
hr [align, dir, noshade, onclick, ondblclick, onkeydown, onkeypress, onkeyup, onmousedown, onmousemove, onmouseout, onmouseover, onmouseup, size, width, xml:lang]
html [dir, xml:lang, xmlns]
i [dir, onclick, ondblclick, onkeydown, onkeypress, onkeyup, onmousedown, onmousemove, onmouseout, onmouseover, onmouseup, xml:lang]
img [dir, ismap, longdesc, onclick, ondblclick, onkeydown, onkeypress, onkeyup, onmousedown, onmousemove, onmouseout, onmouseover, onmouseup, usemap, xml:lang]
input [accept, align, dir, onblur, onchange, onclick, ondblclick, onfocus, onkeydown, onkeypress, onkeyup, onmousedown, onmousemove, onmouseout, onmouseover, onmouseup, onselect, tabindex, xml:lang]
label [accesskey, dir, onblur, onclick, ondblclick, onfocus, onkeydown, onkeypress, onkeyup, onmousedown, onmousemove, onmouseout, onmouseover, onmouseup, xml:lang]
legend [accesskey, align, dir, onclick, ondblclick, onkeydown, onkeypress, onkeyup, onmousedown, onmousemove, onmouseout, onmouseover, onmouseup, xml:lang]
li [dir, onclick, ondblclick, onkeydown, onkeypress, onkeyup, onmousedown, onmousemove, onmouseout, onmouseover, onmouseup, type, value, xml:lang]
link [charset, dir, href, hreflang, onclick, ondblclick, onkeydown, onkeypress, onkeyup, onmousedown, onmousemove, onmouseout, onmouseover, onmouseup, rev, target, xml:lang]
map [onclick, ondblclick, onkeydown, onkeypress, onkeyup, onmousedown, onmousemove, onmouseout, onmouseover, onmouseup, xml:lang]
noscript [dir, onclick, ondblclick, onkeydown, onkeypress, onkeyup, onmousedown, onmousemove, onmouseout, onmouseover, onmouseup, xml:lang]
ol [compact, dir, onclick, ondblclick, onkeydown, onkeypress, onkeyup, onmousedown, onmousemove, onmouseout, onmouseover, onmouseup, start, type, xml:lang]
option [dir, onclick, ondblclick, onkeydown, onkeypress, onkeyup, onmousedown, onmousemove, onmouseout, onmouseover, onmouseup, xml:lang]
p [dir, onclick, ondblclick, onkeydown, onkeypress, onkeyup, onmousedown, onmousemove, onmouseout, onmouseover, onmouseup, xml:lang]
pre [dir, onclick, ondblclick, onkeydown, onkeypress, onkeyup, onmousedown, onmousemove, onmouseout, onmouseover, onmouseup, width, xml:lang]
samp [dir, onclick, ondblclick, onkeydown, onkeypress, onkeyup, onmousedown, onmousemove, onmouseout, onmouseover, onmouseup, xml:lang]
select [dir, onblur, onchange, onclick, ondblclick, onfocus, onkeydown, onkeypress, onkeyup, onmousedown, onmousemove, onmouseout, onmouseover, onmouseup, onselect, tabindex, xml:lang]
small [dir, onclick, ondblclick, onkeydown, onkeypress, onkeyup, onmousedown, onmousemove, onmouseout, onmouseover, onmouseup, xml:lang]
span [dir, onclick, ondblclick, onkeydown, onkeypress, onkeyup, onmousedown, onmousemove, onmouseout, onmouseover, onmouseup, xml:lang]
strike [dir, onclick, ondblclick, onkeydown, onkeypress, onkeyup, onmousedown, onmousemove, onmouseout, onmouseover, onmouseup]
strong [dir, onclick, ondblclick, onkeydown, onkeypress, onkeyup, onmousedown, onmousemove, onmouseout, onmouseover, onmouseup, xml:lang]
style [dir, xml:lang]
sub [dir, onclick, ondblclick, onkeydown, onkeypress, onkeyup, onmousedown, onmousemove, onmouseout, onmouseover, onmouseup, xml:lang]
sup [dir, onclick, ondblclick, onkeydown, onkeypress, onkeyup, onmousedown, onmousemove, onmouseout, onmouseover, onmouseup, xml:lang]
table [dir, frame, onclick, ondblclick, onkeydown, onkeypress, onkeyup, onmousedown, onmousemove, onmouseout, onmouseover, onmouseup, rules, summary, xml:lang]
tbody [dir, onclick, ondblclick, onkeydown, onkeypress, onkeyup, onmousedown, onmousemove, onmouseout, onmouseover, onmouseup, xml:lang]
td [abbr, dir, onclick, ondblclick, onkeydown, onkeypress, onkeyup, onmousedown, onmousemove, onmouseout, onmouseover, onmouseup, xml:lang]
textarea [dir, onblur, onchange, onclick, ondblclick, onfocus, onkeydown, onkeypress, onkeyup, onmousedown, onmousemove, onmouseout, onmouseover, onmouseup, onselect, tabindex, xml:lang]
tfoot [dir, onclick, ondblclick, onkeydown, onkeypress, onkeyup, onmousedown, onmousemove, onmouseout, onmouseover, onmouseup, xml:lang]
th [abbr, dir, onclick, ondblclick, onkeydown, onkeypress, onkeyup, onmousedown, onmousemove, onmouseout, onmouseover, onmouseup, xml:lang]
thead [dir, onclick, ondblclick, onkeydown, onkeypress, onkeyup, onmousedown, onmousemove, onmouseout, onmouseover, onmouseup, xml:lang]
tr [bgcolor, dir, onclick, ondblclick, onkeydown, onkeypress, onkeyup, onmousedown, onmousemove, onmouseout, onmouseover, onmouseup, xml:lang]
u [dir, onclick, ondblclick, onkeydown, onkeypress, onkeyup, onmousedown, onmousemove, onmouseout, onmouseover, onmouseup]
ul [compact, dir, onclick, ondblclick, onkeydown, onkeypress, onkeyup, onmousedown, onmousemove, onmouseout, onmouseover, onmouseup, type, xml:lang]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-antisamy/attachments/20090514/d7fb6f10/attachment-0001.html
More information about the Owasp-antisamy
mailing list