[Owasp-antisamy] Toward safe Flash filtering -- dealing with "param" tags

Erik downward_machine at yahoo.com
Tue Sep 29 21:01:53 EDT 2009


Good news, everyone! I've come up with a way to make AntiSamy now process the data in name and value attributes in <param> tags.

I had to do this because, in order to promote security while allowing video embeds, I've simply been filtering out all <param> tags. I didn't notice that this was breaking video embeds in Internet Explorer until after we deployed because I, sane, don't use IE. But whatever -- removing <param> tags breaks video embeds, you can't filter them with AS, and IE requires them. See:

http://java.sun.com/j2se/1.5.0/docs/guide/plugin/developer_guide/using_tags.html#html

How annoying. My solution was to modify AS such that it now treats <param> tags somewhat like <embed> tags. After all, since the data is redundant, the tag-rule definitions in the AS policy file should be very close. As an added bonus, it required little modification to AS.

As an example, imagine an embed code like this:

<object width="560" height="340">
	<param name="movie"
		value="http://www.youtube.com/v/IyAyd4WnvhU&hl=en&fs=1&"></param>
	<param name="allowFullScreen" value="true"></param>
	<param name="allowscriptaccess" value="always"></param>
	<embed src="http://www.youtube.com/v/IyAyd4WnvhU&hl=en&fs=1&"
		type="application/x-shockwave-flash" allowscriptaccess="always"
		allowfullscreen="true" width="560" height="340"></embed></object>

With a certain directive activated, AS internally converts the <param> tags to think of them as:

<object width="560" height="340">
	<embed movie="http://www.youtube.com/v/IyAyd4WnvhU&hl=en&fs=1&"></embed>
	<embed allowFullScreen="true"></embed>
	<embed allowscriptaccess="always"></embed>
	<embed src="http://www.youtube.com/v/IyAyd4WnvhU&hl=en&fs=1&"
		type="application/x-shockwave-flash" allowscriptaccess="always"
		allowfullscreen="true" width="560" height="340"></embed></object>

With the following directive set in the policy file:

<directive name="validateParamAsEmbed" value="true" />

The output, of course, comes out looking correct, like the first embed code, assuming you've allowed these tags and attributes.

In order for this directive to activate, it first checks for the following:
--the validateParamAsEmbed directive is set to "true"
--there is no tag-rule for the <param> tag
--there is a tag-rule in place for the <embed> tag
--the <embed> tag-rule action is "validate"

It is finished and we will be deploying it at my work. I'll be committing it to the AS SVN repo just as soon as they let me =) Enjoy!

--Erik Innocent



More information about the Owasp-antisamy mailing list