Search the Community

I am going to design a webpage, which contains <div>(s) that allow users to submit their (X)HTML with CSS, and being inserted into those <div>(s). I understand it will suffer from XSS seriously, so I will use HTML Purifier to sanitise the (X)HTML and CSS. For instance, I will definitely not allow <script>, <iframe>, and external resources. But I wish to allow almost all other tags and CSS attributes. Here comes the question. I wish to keep client elements (visually) inside the <div>(s). I have tried a partial solution, by using position: absolute; and overflow: hidden;, as follow: <html><head><style>div#jail { position: absolute; overflow: hidden; border: 1px dotted red; height: 200%; width: 50%; left: 25%; top: 25%;}/* All client's CSS is ensured prefixed with div#jail */div#jail .client_code { margin: 0; position: absolute; top: -8px; z-index: 1000;}</style></head><body><div id="jail"> <p class="client_code">elements being jailed</p></div></body></html>The effect of the codes above is as follow: The red dotted line is the "Jail". The purpose is to make any HTML codes with any CSS (prefixed with div#jail) to visually keep inside the box. As shown above, the line of text tried to move out of the box. However, because of overflow: hidden, it is just clipped. So nothing could escape the "Jail". This is good. So far, I have successfully jailed <p> inside div#jail for most kinds of client's HTML elements and CSS, except when user uses position: fixed;. div#jail .client_code { position: fixed; top: 0px;}The following is the screen capture, which the "jail" failed: As shown above, if the position: fixed CSS is applied to the jailed elements, the result is that the line of text can be shown outside the box - i call it a breakthrough of the jail. This is not good. So, my question is, how to ensure everything are visually "jailed" inside the box? If position: fixed is the only CSS which can cause this breakthrough, i can just prohibit position: fixed and the Jail would be enforced. If there are any other ideas/design to achieve this, any solutions are welcomed! Thanks a lot!

In my webpage, I am going allow clients (X)HTML. To avoid XSS, I will use HTML Purifier, and disable the <script> tag (and some other dangerous tags). Yet I would like to enable designers of those (X)HTML to use certain programming-like features, for example displaying a list of items, which would need a for-loop. Then I came up with the idea that : users submit the XSL code, I provide the XML with the data required by the users. As HTML Purifier cannot sanitise XSL code (can it?), my proposed flow would be: [*]User submits a piece of XSL code.[*]In the server, there are some sample data (sample XMLs). PHP is used to do the XSL transform with those sample XML data.[*]Pass the output XHTML to HTML Purifier. If HTML Purifier detects any prohibited elements in the code, stop process and show the errors to user.[*]If it passes HTML Purifier, check it against the W3C validator. (This is just a double check. Outputs from HTML Purifier should be valid.)[*]Save the piece of XSL code into database. Use (include) it whenever needed. Do you think the flow above can assure the final XSL code saved into the database is clean (given that HTML Purifier is perfect)? Another concern is that, (this is the main question here), is it safe to accept arbitrary XSL codes, and perform XSL transform by PHP in the server? Could there be any security holes that some XSS, injection, etc being included in the XSL codes, such that being harmful to the server or the PHP programs? Finally, if there are any other ideas/design to achieve this, any solutions are welcomed! Thanks a lot!