[Owasp-antisamy] Toward safe Flash filtering -- dealing with "param" tags

Jim Manico jim at manico.net
Tue Sep 29 21:16:11 EDT 2009


Oooops, he did it again. Erik is not.. that... Innocent!

Jim

On Sep 29, 2009, at 6:01 PM, Erik <downward_machine at yahoo.com> wrote:

> Good news, everyone! I've come up with a way to make AntiSamy now  
> process the data in name and value attributes in <param> tags.
>
> I had to do this because, in order to promote security while  
> allowing video embeds, I've simply been filtering out all <param>  
> tags. I didn't notice that this was breaking video embeds in  
> Internet Explorer until after we deployed because I, sane, don't use  
> IE. But whatever -- removing <param> tags breaks video embeds, you  
> can't filter them with AS, and IE requires them. See:
>
> http://java.sun.com/j2se/1.5.0/docs/guide/plugin/developer_guide/using_tags.html#html
>
> How annoying. My solution was to modify AS such that it now treats  
> <param> tags somewhat like <embed> tags. After all, since the data  
> is redundant, the tag-rule definitions in the AS policy file should  
> be very close. As an added bonus, it required little modification to  
> AS.
>
> As an example, imagine an embed code like this:
>
> <object width="560" height="340">
>    <param name="movie"
>        value="http://www.youtube.com/v/IyAyd4WnvhU&hl=en&fs=1&"></ 
> param>
>    <param name="allowFullScreen" value="true"></param>
>    <param name="allowscriptaccess" value="always"></param>
>    <embed src="http://www.youtube.com/v/IyAyd4WnvhU&hl=en&fs=1&"
>        type="application/x-shockwave-flash" allowscriptaccess="always"
>        allowfullscreen="true" width="560" height="340"></embed></ 
> object>
>
> With a certain directive activated, AS internally converts the  
> <param> tags to think of them as:
>
> <object width="560" height="340">
>    <embed movie="http://www.youtube.com/v/IyAyd4WnvhU&hl=en&fs=1&"></ 
> embed>
>    <embed allowFullScreen="true"></embed>
>    <embed allowscriptaccess="always"></embed>
>    <embed src="http://www.youtube.com/v/IyAyd4WnvhU&hl=en&fs=1&"
>        type="application/x-shockwave-flash" allowscriptaccess="always"
>        allowfullscreen="true" width="560" height="340"></embed></ 
> object>
>
> With the following directive set in the policy file:
>
> <directive name="validateParamAsEmbed" value="true" />
>
> The output, of course, comes out looking correct, like the first  
> embed code, assuming you've allowed these tags and attributes.
>
> In order for this directive to activate, it first checks for the  
> following:
> --the validateParamAsEmbed directive is set to "true"
> --there is no tag-rule for the <param> tag
> --there is a tag-rule in place for the <embed> tag
> --the <embed> tag-rule action is "validate"
>
> It is finished and we will be deploying it at my work. I'll be  
> committing it to the AS SVN repo just as soon as they let me =) Enjoy!
>
> --Erik Innocent
>
> _______________________________________________
> Owasp-antisamy mailing list
> Owasp-antisamy at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-antisamy


More information about the Owasp-antisamy mailing list