SlideShare is now on Android. 15 million presentations at your fingertips.  Get the app

×
  • Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
 

Insane in the IFRAME -- The case for client-side HTML sanitization

by Principal Security Software Engineer at Microsoft on Aug 23, 2013

  • 2,214 views

Server-side HTML sanitization is a familiar web application building block, yet despite years of offensive security research, defensive “sanitizer science” is still a kind of voodoo magic. This ...

Server-side HTML sanitization is a familiar web application building block, yet despite years of offensive security research, defensive “sanitizer science” is still a kind of voodoo magic. This talk will make the case that as server-side HTML sanitizers lack the ability to effectively simulate every potential user agent, the client itself is the only party empowered to perform accurate sanitization. We will examine the DOM API primitives required to perform such client-side sanitization and review results and learning from a prototype implementation.

Statistics

Views

Total Views
2,214
Views on SlideShare
2,078
Embed Views
136

Actions

Likes
2
Downloads
25
Comments
0

5 Embeds 136

https://twitter.com 112
http://eventifier.co 13
http://ec2-54-243-189-159.compute-1.amazonaws.com 9
http://www.linkedin.com 1
http://eventifier.com 1

Accessibility

Categories

Upload Details

Uploaded via SlideShare as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
Post Comment
Edit your comment

Insane in the IFRAME -- The case for client-side HTML sanitization Insane in the IFRAME -- The case for client-side HTML sanitization Presentation Transcript