whitelists for secure HTML
Published September 9th, 2006
Microsoft’s RSS Team comments on all the security stuff:
Sanitization: First, the Windows RSS Platform uses several techniques to strip out script (and several other variations of malicious HTML) before storing the feed content.
Great, except, uhm, its a horrible plan. The only way to really sanitize HTML input is to rebuild it into a DOM, and apply a whitelist of allowed HTML tags and attributes. Once that is done, re-render the DOM. All ‘strip’ techniques will fail, sooner or later.
Written by Paul Querna, CTO @ ScaleFT. @pquerna