XSS covering your rear

knowj

I have been having a ponder on Cross Site Scripting over the past few days and really thinking how to keep your rear covered without removing functionality from the user that is for instance using tinymce or similar as a real text editor.

I have started to go through the list of elements and tags that could be exploited. The $triggers and their content would be removed and possibly the same with the $tags. However would the best cause of action if a rouge tag is found be to throw the user an error to address it or just remove it from the process?

public function xxs($data)
	{
		//remove onload
		$triggers = array('onblur', 'onclick', 'ondblclick', 'onfocus', 'onkeydown',  'onkeypress', 'onkeyup', 'onmousedown', 'onmousemove', 'onmouseout', 'onmouseover', 'onmouseup');

	$tags = array('<script>', '<style>', '<applet>', '<bgsound>', '<embed>', '<frame>', '<frameset>', '<head>', '<html>', '<body>', '<iframe>', '<link>', '<meta>', '<param>', '<object>');  

	//preg_match or preg_replace then return $data
}

The main thing is am I seriously missing anything that could be used within an XSS attack?

laserlight

It is usually better to have a set of elements that are the only ones allowed rather than a blacklist. I believe that it is also good practice to remove client side script related attributes from the tags (but unfortunately this will have to be a blacklist).

knowj

Are there any character encoding techniques that are known to be used that would work their way around the usual XSS checks?

I have seen SQL injection attacks that use similar techniques within a union to bypass certain checks.