Noah Petherbridge
Posted by Noah Petherbridge on Tuesday, June 19 2012 @ 04:24:05 PM

I decided to take a serious look at the HTML::Defang module. It's supposed to take some arbitrary HTML input and sanitize it, removing anything potentially malicious in the process (attempts to execute JavaScript code, embedding of iframes, applets, etc.)

It does a pretty decent job, but I found one thing it doesn't handle very well by default. In CSS code, it will attempt to comment out an attribute if you attempt to use JavaScript with it. Some example input:

<span style="background-image: url('javascript:alert(1)')">

HTML::Defang will turn that into this:

<span style="/*background-image: url('javascript:alert(1)')*/">

But, if you begin and end your CSS attribute with an end-comment and start-comment instead, HTML::Defang leaves the code looking like this:

<span style="/**/background-image: url('javascript:alert(1)')/**/">

Now, granted, this sort of exploit only really hits Internet Explorer users (at least for older versions of IE), but it is a pretty big issue still. This is basically how Samy pwned MySpace, after all.

Anyway, I've written a test CGI script for HTML::Defang: you can try to break it here. I added a custom CSS handler that will neutralize JavaScript attempts from the CSS code to handle that problem I found in HTML::Defang. You can see the source code by clicking the link at the bottom of that page.

If anybody finds a way to get JavaScript to execute on that page, let me know. :) I've tried all the usual tricks and haven't found a loophole yet.


[ Blog ]


There is 1 comment on this page.

Posted on Wednesday, August 20 2014 @ 02:08:30 PM by Lars Helgeson.

I think defang needs a little updating. Take a look at what happens when you put @media in a <style>. Not only does everything in the <style> get HTML comment tags, the @media is totally removed. This is something everyone uses for designing responsive HTML content (emails, webpages), so maybe you can take a look at updating the Perl module accordingly? Please? :)

    <title>Message for you</title>
    <style type="text/css">div, p, a, li, td, dd { -webkit-text-size-adjust:none; }
dt { margin: 5px; }
body {font-family: 'Trebuchet MS', Helvetica, sans-serif; font-size: 12px; color: #000000; }
p,ul,li {font-family:'Trebuchet MS', Helvetica, sans-serif; font-size: 12px; line-height: 20px; }
@media only screen and (max-device-width: 480px)
img,table { max-width: 400px !important; }
img { max-height: 600px !important; }
\#Background { max-width: 420px !important; }
\#Stationery { width: 400px !important; }
<body bgcolor="#e3e3e3" leftmargin="0" marginheight="0" marginwidth="0" style="background-color: #e3e3e3;" topmargin="0">
<table cellpadding="10" cellspacing="0" id="Background" style="background-color: #e3e3e3; width: 100%;" width="100%">

Edit by kirsle: fixed formatting of message

Add a Comment

Your name:
Your Email:
Comments can be formatted with Markdown, and you can use
emoticons in your comment.

If you can see this, don't touch the following fields.