Fork me on GitHub
Please upgrade to 2.1.x here. The 2.0 branch is no longer being updated.
Critical: Update to 2.1.8, released 15 Jan.

Major HTMLawed Security Issues

edited December 2011 in Vanilla 2.0 Help
HTMLawed is used by Vanilla to sanitize HTML, however, that is NOT what it is intended for. HTMLawed is only designed to be used to ensure valid HTML. HTMLawed fails to sanitize against a number of major attack vectors, especially in the style attribute, which can be used for click-jacking, phishing, web-page overlays, defacement, and more.

This is mentioned at

For example, the following snippet can be used to display a div outside the post area:
<div style="width: 100px; height: 100px; position: absolute; bottom: 0; right: 0; background: red; opacity: 0.5; z-index: 10000;">this is a security test</div>
A slight alteration could be used to exploit users via a clickjacking type attack:
<a href=""; style="display: block; width: 100000px; height: 10000px; position: absolute; top: 0; left: 0; opacity: 0.0; z-index: 10000;">this is a security test</a>
You can test either of the above non-persistently by copying into a reply and clicking preview.

I strongly recommend returning to something intended for security, such as HTML Purifier. Alternately, it is supposedly possible to write your own filter to sanitize the style attribute yourself. If abandoning HTMLawed is not an option, it might be ideal to lock down all styles except those used for basic text formatting.


Sign In or Register to comment.