Question
In my webpage, I am going allow clients (X)HTML. To avoid XSS, I will use HTML Purifier, and disable the <script> tag (and some other dangerous tags).
Yet I would like to enable designers of those (X)HTML to use certain programming-like features, for example displaying a list of items, which would need a for-loop.
Then I came up with the idea that : users submit the XSL code, I provide the XML with the data required by the users.
As HTML Purifier cannot sanitise XSL code (can it?), my proposed flow would be:
Do you think the flow above can assure the final XSL code saved into the database is clean (given that HTML Purifier is perfect)?
Another concern is that, (this is the main question here), is it safe to accept arbitrary XSL codes, and perform XSL transform by PHP in the server? Could there be any security holes that some XSS, injection, etc being included in the XSL codes, such that being harmful to the server or the PHP programs?
Finally, if there are any other ideas/design to achieve this, any solutions are welcomed!
Solution
Absolutely not. XSL is Turing Complete and user-submitted XSL scripts can, at the very least, use up all your CPU, and at the very worst, run code on your server.
And even if the XSL is valid, there is absolutely no indication that a run on a single test input does not mean that the XSL cannot produce XSS output on specially crafted input.
OTHER TIPS
Another thing to consider when allowing users to submit their own XSLT is that XSLT files are XML files themselves and could be open to things like Billion Laughs (XML bomb) attacks.
https://stackoverflow.com/questions/20698441
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russian