Fork me on GitHub
Current release is 2.1.6 (21 Nov 2014).

Users who have not yet upgraded to 2.1 should get security release (1 Nov 2014). We will stop providing these security releases to 2.0 at the end of this year.

Major HTMLawed Security Issues

edited December 2011 in Vanilla 2.0 Help
HTMLawed is used by Vanilla to sanitize HTML, however, that is NOT what it is intended for. HTMLawed is only designed to be used to ensure valid HTML. HTMLawed fails to sanitize against a number of major attack vectors, especially in the style attribute, which can be used for click-jacking, phishing, web-page overlays, defacement, and more.

This is mentioned at

For example, the following snippet can be used to display a div outside the post area:
<div style="width: 100px; height: 100px; position: absolute; bottom: 0; right: 0; background: red; opacity: 0.5; z-index: 10000;">this is a security test</div>
A slight alteration could be used to exploit users via a clickjacking type attack:
<a href=""; style="display: block; width: 100000px; height: 10000px; position: absolute; top: 0; left: 0; opacity: 0.0; z-index: 10000;">this is a security test</a>
You can test either of the above non-persistently by copying into a reply and clicking preview.

I strongly recommend returning to something intended for security, such as HTML Purifier. Alternately, it is supposedly possible to write your own filter to sanitize the style attribute yourself. If abandoning HTMLawed is not an option, it might be ideal to lock down all styles except those used for basic text formatting.


Sign In or Register to comment.