[gwt-contrib] Re: Added all safehtml packages. (issue771801)

Tue, 17 Aug 2010 16:05:12 -0700 

On 2010/08/17 20:19:04, xtof wrote:

On 2010/08/17 18:39:28, jat wrote:
> On 2010/08/16 23:39:47, tbroyer wrote:
> > The HtmlSanitizer is a good idea, but the implementation is very

weak [2].

>
> Note that the API is what is important, and SimpleHtmlSanitizer is

just that,

a
> simple implementation.  A more involved implementation can be added

later.

>
> Also, we aren't trying to parse HTML with a regex here, it simply

looks for

> opening tags and allows unescaped on a small set of whitelisted tags

--

> everything else gets escaped.  If you think it fails to do its job,

can you

> supply a string which would not be propertly sanitized?


Looking at the code more closely it would merely "fail" by overly
rejecting tags that are whitelisted: i.e. "<b foo=<i>should be bold"
would be sanitized to "&lt;b foo=<i>should be bold" and the end part
would be italicized instead of bold.
But there's more:


In other words, does SimpleHtmlSanitizer adhere to the SafeHtml type

contract?

I believe it does, but of course would like arguments/hunches towards

the

contrary.


SafeHtml calls for XSS mitigation, and SimpleHtmlSanitizer doesn't
sanitize most XSS attacks, that use attributes:
"<b
style='position:absolute;z-index:2147483646;left:0px;top:0px;right:0px;bottom:0px'
onmousemove=\"alert(&quot;you've been highjacked&quot;);\">"


Having said that, I kind of agree that SimpleHtmlSanitizer is of

pretty limited

use; one of the few scenarios where I can see it used is for rendering
messages/snippets that are formatted with limited HTML markup, and are

obtained

from a complex backend that the developer of the GWT client doesn't

quite want

to trust to uphold the SafeHtml type contract.  I wouldn't be terribly

opposed

to droppping it.



I didn't want to implement a full parser, because parsing full HTML

(say in an

email app) inside the browser generally seems like a bad approach.


I agree, and I'd be OK with removing HtmlSanitizer from this patch to
better reintroduce it later.



http://gwt-code-reviews.appspot.com/771801/show

--
http://groups.google.com/group/Google-Web-Toolkit-Contributors






















					Reply via email to