Forum: Ruby on Rails Security considerations with displaying uploaded HTML

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
Bb4bdf2b184027bc38d4fb529770cde5?d=identicon&s=25 Wes Gamble (weyus)
on 2006-04-18 21:56
I have an application where I am allowing users to upload (or refer the
app. to) arbritrary HTML that I am (currently) displaying in an IFRAME
on a page.  The users will be authenticated so it's not open to the
entire universe.

I was always uneasy with this, but after reading the security chapter of
AWDWR, I am even more concerned.

What kinds of applications do people have out there that provide
snippets of HTML that could be user provided?

I saw something in AWDWR about sanitize() - any comments/advice on that?

One thing I'm considering is rendering it on the server side and
providing an image of the rendered to the user - then I only have to
worry about being compromised on my server instead of worrying about XSS
attacks.  Does that make sense?

Any thoughts or advice is appreciated.

Wes
Eeba234182bcbd7faed9ff52e233394d?d=identicon&s=25 Douglas Livingstone (Guest)
on 2006-04-18 22:51
(Received via mailing list)
2006/4/18, Wes Gamble <weyus@att.net>:
>
> One thing I'm considering is rendering it on the server side and
> providing an image of the rendered to the user - then I only have to
> worry about being compromised on my server instead of worrying about XSS
> attacks.  Does that make sense?
>

Personally I'd be more worried about the server being compromised than
XSS, so I wouldn't consider that an option.

> I have an application where I am allowing users to upload (or refer the
> app. to) arbritrary HTML that I am (currently) displaying in an IFRAME
> on a page.  The users will be authenticated so it's not open to the
> entire universe.

Most HTML and CSS shouldn't be able to affect you outside the IFRAME.
I'd remove all meta, link and script tags. The main worry would be
JavaScript, so also get rid of on*="" attributes, and probably filter
hyperlinks which start with the javascript: protocall too... which
come to think of it is what sanitize() does (except for the meta tags,
I'd try and protect against a stupid meta-refresh too).

If you serve the content of the IFRAME from a different domain that
should trigger more security from the browser, which should block most
things.

hth,
Douglas
Bb4bdf2b184027bc38d4fb529770cde5?d=identicon&s=25 Wes Gamble (weyus)
on 2006-04-19 00:16
Douglas,

Thanks for this.  The thing is that I need to be able to "preview" this
HTML and show it to the user the way that it would look in a browser.

The problem is there are lots of pages now that do things like specify
image tags and their contents via Javascript which means that stripping
<SCRIPT> tags and/or on* event handlers could potentially hobble the
page.

Wes

Douglas Livingstone wrote:
> 2006/4/18, Wes Gamble <weyus@att.net>:
>>
>> One thing I'm considering is rendering it on the server side and
>> providing an image of the rendered to the user - then I only have to
>> worry about being compromised on my server instead of worrying about XSS
>> attacks.  Does that make sense?
>>
>
> Personally I'd be more worried about the server being compromised than
> XSS, so I wouldn't consider that an option.
>
>> I have an application where I am allowing users to upload (or refer the
>> app. to) arbritrary HTML that I am (currently) displaying in an IFRAME
>> on a page.  The users will be authenticated so it's not open to the
>> entire universe.
>
> Most HTML and CSS shouldn't be able to affect you outside the IFRAME.
> I'd remove all meta, link and script tags. The main worry would be
> JavaScript, so also get rid of on*="" attributes, and probably filter
> hyperlinks which start with the javascript: protocall too... which
> come to think of it is what sanitize() does (except for the meta tags,
> I'd try and protect against a stupid meta-refresh too).
>
> If you serve the content of the IFRAME from a different domain that
> should trigger more security from the browser, which should block most
> things.
>
> hth,
> Douglas
Eeba234182bcbd7faed9ff52e233394d?d=identicon&s=25 Douglas Livingstone (Guest)
on 2006-04-19 04:10
(Received via mailing list)
2006/4/19, Wes Gamble <weyus@att.net>:
>
> The problem is there are lots of pages now that do things like specify
> image tags and their contents via Javascript which means that stripping
> <SCRIPT> tags and/or on* event handlers could potentially hobble the
> page.
>

At least for IE, this might hep then:

http://www.microsoft.com/technet/prodtechnol/ie/re...

"A content author can create a frame or IFRAME with the
"security=restricted" attribute. This attribute puts the contents of
the frame or IFRAME, as well as any child frames (initiated by parent
frames) that it might contain, in the Restricted sites zone. For
example, if the http://a.com/ Web page contains <iframe
security=restricted src="http://b.com/"></iframe> and the
http://b.com/ Web page contains <iframe
src="http://www.microsoft.com/"> </iframe>, both http://b.com/ and
http://www.microsoft.com/ will run in the Restricted sites zone. The
frame cannot run scripting or ActiveX controls, unless the user
changes the default settings for the Restricted sites zone or you used
the Internet Explorer Customization Wizard to override the Restricted
sites zone settings for the Internet Explorer installation. Also,
support for Meta-refresh (a mechanism that allows a Web page to
redirect to another Web page on a timer without using script) is
disabled in the Restricted sites zone."

I'm not sure how much security that gives you, and it will only be for
IE, which isn't exactly known for security, but that might be a help.
Try and hack it and see! And hey, it turns off the meta-refresh too
:-)

Douglas
Bb4bdf2b184027bc38d4fb529770cde5?d=identicon&s=25 Wes Gamble (weyus)
on 2006-04-19 06:24
Douglas,

Again thanks!  I found that right after your last post.  I'll do my
best.

I'll try and post any other stuff that I find out.

Wes

Douglas Livingstone wrote:
> 2006/4/19, Wes Gamble <weyus@att.net>:
>>
>> The problem is there are lots of pages now that do things like specify
>> image tags and their contents via Javascript which means that stripping
>> <SCRIPT> tags and/or on* event handlers could potentially hobble the
>> page.
>>
>
> At least for IE, this might hep then:
>
> http://www.microsoft.com/technet/prodtechnol/ie/re...
>
> "A content author can create a frame or IFRAME with the
> "security=restricted" attribute. This attribute puts the contents of
> the frame or IFRAME, as well as any child frames (initiated by parent
> frames) that it might contain, in the Restricted sites zone. For
> example, if the http://a.com/ Web page contains <iframe
> security=restricted src="http://b.com/"></iframe> and the
> http://b.com/ Web page contains <iframe
> src="http://www.microsoft.com/"> </iframe>, both http://b.com/ and
> http://www.microsoft.com/ will run in the Restricted sites zone. The
> frame cannot run scripting or ActiveX controls, unless the user
> changes the default settings for the Restricted sites zone or you used
> the Internet Explorer Customization Wizard to override the Restricted
> sites zone settings for the Internet Explorer installation. Also,
> support for Meta-refresh (a mechanism that allows a Web page to
> redirect to another Web page on a timer without using script) is
> disabled in the Restricted sites zone."
>
> I'm not sure how much security that gives you, and it will only be for
> IE, which isn't exactly known for security, but that might be a help.
> Try and hack it and see! And hey, it turns off the meta-refresh too
> :-)
>
> Douglas
This topic is locked and can not be replied to.