HTML Purifier to clean event attributes

0
votes

I'm working to address some Stored XSS vulnerabilities and I am using HTMLPurifier. I have an input box on the page and if I type '" onclick="alert(1);" the code is saved to the database and executed on the client. This is happening even after running the input and output through purifier. It seems as if HTMLpurifier only strips these attr when included within html tag. I'm wondering if there is some config for purifier that will strip just the event attr's or any other suggestions on how to cleans these up.

1
javascriptphphtmlhtmlpurifier
If possible , can post html , js ? Thanksguest271314
WOuldn't '" onclick="alert(1);" when outside of an HTML tag be non-executable text?Jon P
Using the demo page produces the same result so it looks like it leaves text: htmlpurifier.org/…Jon P
This is what is rendered: <input id="SKYPEID" value="" onclick="alert(20);" "="" class="medium user_fld" type="text">Phil Izquierdo

1 Answers

1
votes

HTML Purifier is purely intended for use on content which will be used as HTML on a page. It is not appropriate for validating content which, for example, will go in an attribute for an HTML element.

You can use some internal APIs of HTML Purifier to validate content for this case. However, for the example quoted in the comments, all you need is htmlspecialchars to do the right thing. The right choice of validator depends on what attribute you put the content in.