5

is there any HTTP-header to disable Javascript for a specific page? My website delivers user-generated HTML-content (that is why I cannot just use htmlenitities) and I would like to prevent scripting (JavaScript injections).

I already use HttpOnly-cookies being set for authentication on the main domain only, while user content is only displayed on subdomains where the cookie cannot be read. The problem is that there are still too many possibilities to execute JavaScript - for example using event attributes like onclick and Internet Explorer has even a property in CSS to allow JavaScript executions (expression) which I had never heard of before. Another interesting idea I have read of, was about throwing an exception in order to block the code following. One more idea would be defining a list containing all allowed tags and additionally an array with each allowed attribute name but this is very hard work and I guess this would not cover all possible injections.

I guess I am not the only person having this problem, so does anybody know a possiblility covering all possible harmful code - at least in modern browsers?

A simple imaginary header similar to X-Scripting: disabled would make life so much easier!

Improve this question
2
  • Have you ever thought of blocking script tags and certain attributes in user input? Commented Jul 14, 2012 at 12:19
  • That's what I meant by: "One more idea would be defining a list containing all allowed tags and additionally an array with each allowed attribute name but this is very hard work and I guess this would not cover all possible injections." (So I would for example allow harmless tags like "div" or "span" and disable attributes like "onclick", "onmouseover", but this would not cover all injections since browsers have different, browser-specific attributes and properties) Commented Jul 14, 2012 at 12:22

1 Answer 1

Reset to default
2

Yes, there is an experimental HTTP header called the Content Security Policy that allows you to control where JavaScript comes from, which can make XSS impossible. However it is currently only supported by Chrome and Firefox.

It is a good idea to enable HttpOnly-cookies, however this will prevent exactly ZERO attacks. You can still exploit XSS by reading CSRF tokens, and carrying out requests with an XHR.

There are many ways of obtaining XSS, and a Vulnerability Scanner like ShieldSeal (down) will find (nearly) all of them. Skipfish is an open source vulnerability scanner that is very primitive, but its free. This is how most web applications deal with wide spread vulnerabilities. (I work for ShieldSeal and I help build their vulnerability scanner and I love my job.)

When an issue is found you should use htmlspecialchars($var) or htmlspecialchars($var, ENT_QUOTES) to sanitize input. ENT_QUOTES can prevent an attacker from introducing an onclick or other JavaScript event.

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

The only problem is that users should be as free as possible in generating their HTML-content, but without executing dynamic client-side code. SQL-injections or PHP-injections are not a problem because the code is stored in a database, not in .php-files and all parameters are cleaned before any use in SQL-statements. As for example there are necessary attributes like src for img-tags I cannot simple use ENT_QUOTES and sanitize all input. But I will read more about the Content Security Policy, to secure my site at least for Firefox/Chrome-Users.
@Birk oah I misread that, then you do want to use HTMLPurifier. Also you should usually sanitize at the time of use, so sanitize on output for xss. However, HTMLPurifier uses a lot of resources, so you should probably use that before inserting to the database.
@Birk, you might also want to check out the Google Caja project for safe embedding of HTML/CSS. developers.google.com/caja
@Mikey link to "ShieldSeal" is down

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.