1

AntiXss library seems to strip out html 5 data attributes, does anyone know why?

I need to retain this input:

<label class='ui-templatefield' data-field-name='P_Address3' data-field-type='special' contenteditable='false'>[P_Address3]</label>

The main reason for using the anti xss library (v4.0) is to ensure unrecognized style attributes are not parsed, is this even possible?

code:

var result = Sanitizer.GetSafeHtml(html);

EDIT:

The input below would result in the entire style attributes removed

Input:

var input = "<p style=\"width:50px;height:10px;alert('evilman')\"/> Not sure why is is null for some wierd reason!<br><p></p>";

Output:

var input = "<p style=\"\"/> Not sure why is is null for some wierd reason!<br><p></p>";

Which is fine, if anyone messes around with my code on client side, but I also need the data attribute tags to work!

pnuts
  • 58,317
  • 11
  • 87
  • 139
Haroon
  • 3,402
  • 6
  • 43
  • 74
  • By default the sanitizer leaves in only things that are known to be safe (white list filtering). You can configure the sanitizer to leave in the attributes to know are safe. – Steven Mar 18 '11 at 12:42
  • do you have an example on how I can add an attribute to a whitelist? or a link? – Haroon Mar 18 '11 at 14:35

1 Answers1

1

I assume you mean the sanitizer, rather than the encoder. It's doing what it's supposed to - it simply doesn't understand HTML5 or recognise the attributes, so it strips them. There are ways to XSS via styles.

It's not possible to customise the safe list either I'm afraid, the code base simply doesn't allow for this - I know a large number of people want those, but it would take a complete rewrite to support it.

blowdart
  • 55,577
  • 12
  • 114
  • 149
  • attacks via the html5 data-* attribute also? Yes I meant the sanitizer, I may have to ditch this library as I need those tags - It still need to strip out the possible evil input too! – Haroon Mar 18 '11 at 14:54
  • Not sure about data-*, not evaluated it in any way. But yes, if you need those I'm afraid the HTML sanitization bits aren't going to met your needs. – blowdart Mar 18 '11 at 17:36
  • thanks anyway... i appreciate the hard work you have put into the libaray, I hope that maybe the html5.data attributes could be included if you do make further amends to the library! :) – Haroon Apr 01 '11 at 16:36