Accepted list approach explain AntiXSS

问题

In one of the site I found that statemement in article:

The AntiXSS Library takes an accepted-list approach, whereas the .NET Framework takes a blocked-list approach.

Explain me please what does it mean accepted-list approach and blocked-list approach ???

回答1:

In security parlance accepted-list approach is called as a Whitelist approach; blocked-list approach is called as a Blacklist approach.

Please refer to the discussion here at What is whitelist and blacklist data? or google Blacklist vs whitelist.

Fiction from hollywood: Let's imagine a virus outbreak (like the bio-virus outbreak in the Resident Evil movie) infection that affected the entire world. You are not infected and you are left alone, you have a hunch that there are some people that are not infected just like you. After the virus attack, it takes 2-3 hours for a person to realize the infection and become a zombie. You want to build a secure facility to save yourself from being infected. On a radio communication you hear that some pharma company has invented a vaccine for the virus.

You now have two approaches to build a perimeter security system for your secure facility:

1. Do not allow people that are virus infected zombies [but allow everybody else] ==> Blacklist approach
2. Only allow people that are vaccinated [deny everybody else] ==> Whitelist approach

Let's talk about which is a safer approach.

1. Do not allow people that are virus infected but allow everybody else When the virus infection takes 2-3 hours to show up, this method will fail. Someone that is attacked by the virus and has not realized the infection yet will pass through and infect the secure facility.
2. Only allow people that are vaccinated and deny everybody else Vaccinated people cannot get infected, and you are allowing only them. You do not care if the human is infected or attacked by virus (and not realized the infected yet), you deny them. You only allow people that are vaccinated because you trust the vaccine. This is a more secure approach isn't it?

Let's put all this in the context of Cross Site Scripting (XSS)

1. Blacklist approach: Block all tags/strings like < script >, javascript, src, object, class, input, image, href. A more comprehensive list -https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet

   Drawbacks: This blacklist filter would miss vulnerabilities from the newly introduced html5 tags like < video >, < picture > etc. because the blacklist does not know yet that the video and picture tags could be abused, who knows there may be more instances alike. https://html5sec.org/

2. Whitelist approach: Allow only tags that are known to be safe, for example < p > < b > < i > < strong > < ul > < li >.

   Advantages: You are safer than the blacklist approach because you trust tags like < p > < b > (just like they are vaccinated) and deny everything else. Everything else includes potentially unsafe tags and the tags you don't care about. All you care is what is known to be safe, and you accept only that.

A whitelist validation typically beyond tags, that includes css classes and javascript events as well. If not Microsoft AntiXSS, try OWASP AntiSamy.

More reads:

1. Why use a whitelist for HTML sanitizing?
2. https://kevtownsend.wordpress.com/2011/08/24/whitelisting-vs-blacklisting/
3. What is whitelist and blacklist data?

来源：https://stackoverflow.com/questions/29506344/accepted-list-approach-explain-antixss