Preventing XSS with Data Binding. The Poc
Result:
The anchor you chose:
testme (if it's not a good protocol it'll be disabled)
The style you chose:
styled text (if it's not a good style it won't be applied)
Some detail about the theory and the aim of this poc
here.
On early september I'll release a paper with a more complete description of this research.
..and another Raw (non finished)
example for mixed user html...look at the source code for better understanding.
Author Contact: stefano.dipaola at wisec.it / stefano.dipaola at mindedsecurity.com
Update: Added plaintext (awful but useful) solution for variable width encoding (Doesnt work with Opera).
Known Issues: despite of RFC, IE doesnt ignore unknown properties so using
a style like : 'blah: expression((window.r==1)?":eval("r=1;alert('XSS');"))' will be executed...
Update 2:
It seems the style problem can be fixed by using a first element to remove unknown style
attributes and then set the auto sanitized cssText to a second element.
The workaround for the expression exploit:
if(typeof this._bstyle == 'undefined' )
this._bstyle = document.createElement('A');
this._bstyle.style.cssText= cssText;
if(typeof this._astyle == 'undefined' )
this._astyle = document.createElement('A');
this._astyle.style.cssText = this._bstyle.style.cssText.toString() ;
delete this._bstyle;
if(isIE && this._astyle.style["cssText"].toString().match(/url|expression/i)){
alert("Sorry, the text contained expression or Url");
this._astyle.style["cssText"]='';
}