I\'m building a webmail, which must be able to display html emails. But how to p

Question

I'm building a webmail, which must be able to display html emails. But how to prevent xss and similiar attacks, while not loosing html formatting?

In gmail, when I receive some emails from, lets say, twitter, they are nicely formatted. I'm after something like this.

Html5 supports sandbox attribute for iframes, which seems to solve my problem, but it's badly supported. I need a solution which works in MODERN browsers, but which doesn't become insecure in old browsers. It is acceptable for this NOT TO WORK at all in old browsers, but it cannot become insecure. It should work in IE9 and above.

What are my options?

Explanation / Answer

Google spends a lot of money each year in bug bounty to ensure that Gmail isn't susceptible to XSS. Part of this effort has produced Google-Caja, which is an open source project that filters HTML to a "safe" subset.

HTML filter sandboxes like Caja rely upon an "older" solution that uses complex parsing techniques, and thousands of regular expressions to filter out XSS payloads. A "newer" solution is the Content-Security Policy, which allows the developer to build HTML pages that are totally immune to reflective and persistent XSS, and this is a stronger protection than what Caja is able to provide. CSP would be the best solution, but it is "too new", IE and older browsers don't support it.

If I needed to jail HTML, I would use Caja with a strict CSP ruleset.

Related Questions

Navigate

• Browse (All)
• Browse I
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.