HTMLawed is used by Vanilla to sanitize HTML, however, that is NOT what it is intended for. HTMLawed is only designed to be used to ensure valid HTML. HTMLawed fails to sanitize against a number of major attack vectors, especially in the style attribute, which can be used for click-jacking, phishing, web-page overlays, defacement, and more.
This is mentioned at http://www.bioinformatics.org/phplabware/internal_utilities/htmLawed/htmLawed_README.htm#s2.5
For example, the following snippet can be used to display a div outside the post area:
<div style="width: 100px; height: 100px; position: absolute; bottom: 0; right: 0; background: red; opacity: 0.5; z-index: 10000;">this is a security test</div>
A slight alteration could be used to exploit users via a clickjacking type attack:
<a href="http://attack.example.com" style="display: block; width: 100000px; height: 10000px; position: absolute; top: 0; left: 0; opacity: 0.0; z-index: 10000;">this is a security test</a>
You can test either of the above non-persistently by copying into a reply and clicking preview.
I strongly recommend returning to something intended for security, such as HTML Purifier. Alternately, it is supposedly
possible to write your own filter to sanitize the style attribute yourself. If abandoning HTMLawed is not an option, it might be ideal to lock down all styles except those used for basic text formatting.
-1 · ·