HTML - Not validating user input (malign script execution)


For a secure application, when accepting untrusted input, e.g. user-generated content such as:

  • text comments,
  • values in URL parameters,
  • messages from third-party sites,
  • etc,

it is imperative that the data be validated before use, and properly escaped when displayed.

Whitelist Filter

When writing filters to validate user input, it is imperative that filters always be whitelist-based, allowing known-safe constructs and disallowing all other input. Blacklist-based filters that disallow known-bad inputs and allow everything else are not secure, as not everything that is bad is yet known (for example, because it might be invented in the future).




When allowing harmless-seeming elements like img, it is important to whitelist any provided attributes as well. If one allowed all attributes then an attacker could, for instance, use the onload attribute to run arbitrary script.


When allowing URLs to be provided (e.g. for links), the scheme of each URL also needs to be explicitly whitelisted, as there are many schemes that can be abused. The most prominent example is “javascript:”, but user agents can implement (and indeed, have historically implemented) others.


Allowing a base element to be inserted means any script elements in the page with relative links can be hijacked, and similarly that any form submissions can get redirected to a hostile site.

Powered by ComboStrap