Closed Bug 162511 Opened 23 years ago Closed 23 years ago

Security html tag

Categories

(Core :: DOM: HTML Parser, enhancement)

Product:
Core
Component:
DOM: HTML Parser
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: capaz, Assigned: harishd)

Details

Sorry about the lengthy post... A problem that most web developers must face sometime is the security risk involved with the publication of user contributed data on their website that allows some html formatting tags, since there is a chance that a malicious user adds some java/javascript code that, when the page is displayed, steals session information or performs other actions on behalf of other users browsing the page. There isn't yet (AFAIK) a universal solution to this problem: not all web development languages provide a way to block some tags and let others on a page, and many web developers currently strip out the <javascript> tag on user's data but fail to check for less known but equally dangerous tags (like onClick, onMouseOver, etc). Even though this seems like a server side problem, I think that clients are involved on this issue too, since some code enabling tags depend on the browsers (IE's activex, for example) and since they do all the document parsing and the lexical/semantic analysis of the page; adding some extra logic to deal with the problem above shouldn't be too difficult. I propose a new tag like this: ------------------------------ <html> ... web app's html ... <p>A user's comment:</p> <security block="action_tags" id="SECURITY_TAG_ID" report_to="/security.php"> Here goes the user's data, comments, hmtl, etc. All harmless html code is rendered, but code enabling tags (java/script,activex, etc) stuff is ignored. </security id="SECURITY_TAG_ID"> ... The rest of the app's html. ... </html> ------------------------------ The <security> tag explicitly tells the browser to block all code enabling tags on the enclosed block, this could be refined to something like "enable only a safe subset of the javascript engine" (enable alert windows and status bar handling, disable access to cookies, fetching other documents or altering the form's action attribute) The "SECURITY_TAG_ID" value on the id attribute is a random and hard to guess string generated by the web app stored safely in the browser parsing engine, used to "authenticate" the closing </security> tag. This would avoid that a malicious user could block prematurely the security enhanced block. The report_to attribute would be used by the browser to report a page (uri) when there is an attempt to use unauthorized code or an invalid </security> tag on the corresponding security block. Additional information like the session's data or type of violation attempted could be provided. This is just a first attempt to define this feature, further development, suggestions and corrections are greatly appreciated.
This is a wrong forum for this discussion. If you really want this, please contant the W3C HTML Working Group and ask them to consider that tag for XHTML 2.0. http://www.w3.org/TR/xhtml2/ has information about public mailing lists etc. Marking this INVALID.
Status: UNCONFIRMED → RESOLVED
Closed: 23 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.