[Owasp-antisamy] black list

Arshan Dabirsiaghi arshan.dabirsiaghi at aspectsecurity.com
Thu May 14 13:48:41 EDT 2009


Thanks for starting the discussion Alexander. Jason's response is dead-on, but let me also note that perhaps my choice of words for the "anything goes" policy file was probably a little haphazard. 
 
The name "anything goes" doesn't mean that the policy will allow anything to go through. It's just simply the most permissive policy file that I couldn't imagine being used in anything - possibly a CMS - and the purpose of the name is to tell the user "this is a possibly dangerous file to user as it lets users do pretty much anything."
 
Hope that clears some things up.
 
Thanks,
Arshan

________________________________

From: owasp-antisamy-bounces at lists.owasp.org on behalf of Jason Li
Sent: Thu 5/14/2009 1:30 PM
To: Alexander Afonin
Cc: owasp-antisamy at lists.owasp.org
Subject: Re: [Owasp-antisamy] black list



First, let me say that AntiSamy is a *whitelist* of allowed HTML tags
so I would not necessarily consider tags that were not included to be
unsafe or an implicit "blacklist". The goal of the default policy file
was not to identify all "bad" tags, but to follow the Pareto principle
where by default, it worked safely on the majority of typical usage
scenarios.  I think most of the tags you mention are fairly atypical
tags that don't see common usage.

I do think it might be an interesting undertaking in the future to
create documentation that explains why we chose the tags we did not
choose to include certain tags in the whitelist.

I'll let others add more to the discussion - but looking quickly at
some of the tags, here's my initial thoughts on some of them:
- address tag: semantically is supposed to have contact information
for the site; in the typical use case for AntiSamy, we don't want
untrusted input to be specifying supposed contact information for the
site
- isindex: a deprecated tag that can function just like an input tag
(which is not in the AntiSamy whitelist either)
- dir,menu: deprecated tags that are analogous in practice to the ul tag
- bdo,caption: could be used to alter or overwrite other portions of
the page containing the untrusted input

If you perform a similar analysis on the CSS properties in the
whitelist, you'll probably find a similar set of curiosities. I'm
pretty sure esoteric things like "azimuth" are probably not in the
whitelist.

--
-Jason Li-
-jason.li at owasp.org-


On Thu, May 14, 2009 at 4:34 AM, Alexander Afonin <alexafonin at yahoo.com> wrote:
>
> Hello,
>
> I compared standard HTML 4.0 (also including XHTML and deprecated tags/attributes) tags/attributes with AntiSamy 1.3 anythinggoes policy. Below are the lists of invalid (not mentioned in the policy or action != validate) tags and invalid attributes (not listed in the global attributes section and not listed in tag sections). I can see why most of these tags/attributes are considered unsafe. However, I was surprised to see some (to my mind harmless) tags/attributes blacklisted. For example, what's wrong with such tags as abbr, acronym, address, bdo, caption, dd, del, dfn, dir, dl, dt, ins, isindex, kbd, menu, q, s, tt?
> Why such attributes as  dir, lang, xml:lang, summary (table tag), alink vlink background(body tag)  are not allowed?
>
> Thanks
> Alex
>
> Invalid tags:
>
> abbr, acronym, address, applet, area, base, basefont, bdo, caption, dd, del, dfn, dir, dl, dt, frame, frameset, iframe, ins, isindex, kbd, menu, meta, noframes, object, optgroup, param, q, s, script, title, tt, var
> Invalid attributes:
>
> a [accesskey, charset, coords, dir, hreflang, rev, shape, tabindex, target, xml:lang]
> b [dir, onclick, ondblclick, onkeydown, onkeypress, onkeyup, onmousedown, onmousemove, onmouseout, onmouseover, onmouseup, xml:lang]
> big [dir, onclick, ondblclick, onkeydown, onkeypress, onkeyup, onmousedown, onmousemove, onmouseout, onmouseover, onmouseup, xml:lang]
> blockquote [cite, dir, onclick, ondblclick, onkeydown, onkeypress, onkeyup, onmousedown, onmousemove, onmouseout, onmouseover, onmouseup, xml:lang]
> body [alink, background, dir, link, text, vlink, xml:lang]
> button [dir, tabindex, xml:lang]
> center [dir, onclick, ondblclick, onkeydown, onkeypress, onkeyup, onmousedown, onmousemove, onmouseout, onmouseover, onmouseup]
> cite [dir, onclick, ondblclick, onkeydown, onkeypress, onkeyup, onmousedown, onmousemove, onmouseout, onmouseover, onmouseup, xml:lang]
> code [dir, onclick, ondblclick, onkeydown, onkeypress, onkeyup, onmousedown, onmousemove, onmouseout, onmouseover, onmouseup, xml:lang]
> col [dir, onclick, ondblclick, onkeydown, onkeypress, onkeyup, onmousedown, onmousemove, onmouseout, onmouseover, onmouseup, xml:lang]
> colgroup [dir, onclick, ondblclick, onkeydown, onkeypress, onkeyup, onmousedown, onmousemove, onmouseout, onmouseover, onmouseup, xml:lang]
> div [dir, onclick, ondblclick, onkeydown, onkeypress, onkeyup, onmousedown, onmousemove, onmouseout, onmouseover, onmouseup, xml:lang]
> em [dir, onclick, ondblclick, onkeydown, onkeypress, onkeyup, onmousedown, onmousemove, onmouseout, onmouseover, onmouseup, xml:lang]
> fieldset [dir, onclick, ondblclick, onkeydown, onkeypress, onkeyup, onmousedown, onmousemove, onmouseout, onmouseover, onmouseup, xml:lang]
> font [dir]
> form [accept, accept-charset, dir, enctype, onclick, ondblclick, onkeydown, onkeypress, onkeyup, onmousedown, onmousemove, onmouseout, onmouseover, onmouseup, onreset, onsubmit, target, xml:lang]
> h1 [align, dir, onclick, ondblclick, onkeydown, onkeypress, onkeyup, onmousedown, onmousemove, onmouseout, onmouseover, onmouseup, xml:lang]
> head [dir, profile, xml:lang]
> hr [align, dir, noshade, onclick, ondblclick, onkeydown, onkeypress, onkeyup, onmousedown, onmousemove, onmouseout, onmouseover, onmouseup, size, width, xml:lang]
> html [dir, xml:lang, xmlns]
> i [dir, onclick, ondblclick, onkeydown, onkeypress, onkeyup, onmousedown, onmousemove, onmouseout, onmouseover, onmouseup, xml:lang]
> img [dir, ismap, longdesc, onclick, ondblclick, onkeydown, onkeypress, onkeyup, onmousedown, onmousemove, onmouseout, onmouseover, onmouseup, usemap, xml:lang]
> input [accept, align, dir, onblur, onchange, onclick, ondblclick, onfocus, onkeydown, onkeypress, onkeyup, onmousedown, onmousemove, onmouseout, onmouseover, onmouseup, onselect, tabindex, xml:lang]
> label [accesskey, dir, onblur, onclick, ondblclick, onfocus, onkeydown, onkeypress, onkeyup, onmousedown, onmousemove, onmouseout, onmouseover, onmouseup, xml:lang]
> legend [accesskey, align, dir, onclick, ondblclick, onkeydown, onkeypress, onkeyup, onmousedown, onmousemove, onmouseout, onmouseover, onmouseup, xml:lang]
> li [dir, onclick, ondblclick, onkeydown, onkeypress, onkeyup, onmousedown, onmousemove, onmouseout, onmouseover, onmouseup, type, value, xml:lang]
> link [charset, dir, href, hreflang, onclick, ondblclick, onkeydown, onkeypress, onkeyup, onmousedown, onmousemove, onmouseout, onmouseover, onmouseup, rev, target, xml:lang]
> map [onclick, ondblclick, onkeydown, onkeypress, onkeyup, onmousedown, onmousemove, onmouseout, onmouseover, onmouseup, xml:lang]
> noscript [dir, onclick, ondblclick, onkeydown, onkeypress, onkeyup, onmousedown, onmousemove, onmouseout, onmouseover, onmouseup, xml:lang]
> ol [compact, dir, onclick, ondblclick, onkeydown, onkeypress, onkeyup, onmousedown, onmousemove, onmouseout, onmouseover, onmouseup, start, type, xml:lang]
> option [dir, onclick, ondblclick, onkeydown, onkeypress, onkeyup, onmousedown, onmousemove, onmouseout, onmouseover, onmouseup, xml:lang]
> p [dir, onclick, ondblclick, onkeydown, onkeypress, onkeyup, onmousedown, onmousemove, onmouseout, onmouseover, onmouseup, xml:lang]
> pre [dir, onclick, ondblclick, onkeydown, onkeypress, onkeyup, onmousedown, onmousemove, onmouseout, onmouseover, onmouseup, width, xml:lang]
> samp [dir, onclick, ondblclick, onkeydown, onkeypress, onkeyup, onmousedown, onmousemove, onmouseout, onmouseover, onmouseup, xml:lang]
> select [dir, onblur, onchange, onclick, ondblclick, onfocus, onkeydown, onkeypress, onkeyup, onmousedown, onmousemove, onmouseout, onmouseover, onmouseup, onselect, tabindex, xml:lang]
> small [dir, onclick, ondblclick, onkeydown, onkeypress, onkeyup, onmousedown, onmousemove, onmouseout, onmouseover, onmouseup, xml:lang]
> span [dir, onclick, ondblclick, onkeydown, onkeypress, onkeyup, onmousedown, onmousemove, onmouseout, onmouseover, onmouseup, xml:lang]
> strike [dir, onclick, ondblclick, onkeydown, onkeypress, onkeyup, onmousedown, onmousemove, onmouseout, onmouseover, onmouseup]
> strong [dir, onclick, ondblclick, onkeydown, onkeypress, onkeyup, onmousedown, onmousemove, onmouseout, onmouseover, onmouseup, xml:lang]
> style [dir, xml:lang]
> sub [dir, onclick, ondblclick, onkeydown, onkeypress, onkeyup, onmousedown, onmousemove, onmouseout, onmouseover, onmouseup, xml:lang]
> sup [dir, onclick, ondblclick, onkeydown, onkeypress, onkeyup, onmousedown, onmousemove, onmouseout, onmouseover, onmouseup, xml:lang]
> table [dir, frame, onclick, ondblclick, onkeydown, onkeypress, onkeyup, onmousedown, onmousemove, onmouseout, onmouseover, onmouseup, rules, summary, xml:lang]
> tbody [dir, onclick, ondblclick, onkeydown, onkeypress, onkeyup, onmousedown, onmousemove, onmouseout, onmouseover, onmouseup, xml:lang]
> td [abbr, dir, onclick, ondblclick, onkeydown, onkeypress, onkeyup, onmousedown, onmousemove, onmouseout, onmouseover, onmouseup, xml:lang]
> textarea [dir, onblur, onchange, onclick, ondblclick, onfocus, onkeydown, onkeypress, onkeyup, onmousedown, onmousemove, onmouseout, onmouseover, onmouseup, onselect, tabindex, xml:lang]
> tfoot [dir, onclick, ondblclick, onkeydown, onkeypress, onkeyup, onmousedown, onmousemove, onmouseout, onmouseover, onmouseup, xml:lang]
> th [abbr, dir, onclick, ondblclick, onkeydown, onkeypress, onkeyup, onmousedown, onmousemove, onmouseout, onmouseover, onmouseup, xml:lang]
> thead [dir, onclick, ondblclick, onkeydown, onkeypress, onkeyup, onmousedown, onmousemove, onmouseout, onmouseover, onmouseup, xml:lang]
> tr [bgcolor, dir, onclick, ondblclick, onkeydown, onkeypress, onkeyup, onmousedown, onmousemove, onmouseout, onmouseover, onmouseup, xml:lang]
> u [dir, onclick, ondblclick, onkeydown, onkeypress, onkeyup, onmousedown, onmousemove, onmouseout, onmouseover, onmouseup]
> ul [compact, dir, onclick, ondblclick, onkeydown, onkeypress, onkeyup, onmousedown, onmousemove, onmouseout, onmouseover, onmouseup, type, xml:lang]
>
>
> _______________________________________________
> Owasp-antisamy mailing list
> Owasp-antisamy at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-antisamy
>
_______________________________________________
Owasp-antisamy mailing list
Owasp-antisamy at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-antisamy


-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-antisamy/attachments/20090514/2c558296/attachment-0001.html 


More information about the Owasp-antisamy mailing list