Security risks from user-submitted HTML

Question

I am using a contentEditable div that allows users to edit the body HTML and then post it directly to site using an AJAX request. Naturally, I have to do some security checks o

Answer 1

Yes. There are an alarming number of ways that malicious code can be injected into your site.

Other answers have already mentioned all of the most obvious ones, but there are a lot of much more subtle ways to get in, and if you're going to accept user-submitted HTML code, you need to be aware of them all, because hackers don't just try the obvious stuff and then give up.

You need to check all event handling attributes - not just onclick, but everything: onfocus, onload, even onerror and onscroll can be hacked.

But more importantly than that, you need to watch out for hacks that are designed to get past your validation. For example, using broken HTML to confuse your parser into thinking it's safe:

or

or

ReallySneakyJavascript();0

All of these could easily slip past a validator.

And don't forget that a real hack is likely to be more obfuscated than this. They'll make an effort to make it hard for you to spot, or to understand what it's doing it you do spot it.

I'll finish by recommending this site: http://html5sec.org/ which has details of a large number of attack vectors, most of which I certainly wouldn't have thought of. (the examples above all feature in the list)