Cross-Site Scripting Protections: Permitted Elements and Attributes

Follow

Background

Brazos UI controls have been hardened against Cross-Site Scripting (XSS) vulnerabilities. One of the main methods for achieving these protections is through blanket sanitization of various controls to remove potentially exploitable HTML tags, attributes, and code. The security assumption is that unless one of these components is white-listed, it should be removed.

Protection Details

The information listed here is current as of Brazos UI version 5.6.0.

Affected Controls

  • Output Text
  • Read-Only Table
  • The prepend and append text of Input controls
  • The labels of all controls

White List

The list of permitted elements and attributes are provided here to assist BPM developers in working within the bounds of XSS prevention.

Elements by type

Element Type Permitted Elements
Browsing Context iframe
Content sectioning address, article, aside, header, h1, h2, h3, h4, h5, h6, nav, section
Text Content blockquote, dd, div, dl, dt, figcaption, figure, hr, li, main, nl, ol, p, pre, ul
Inline Text Semantics a, abbr, b, bdi, br, cite, code, data, dfn, em, i, kbd, q, rb, rp, rt, rtc, ruby, s, samp, small, span, strong, sub, sup, time, tt, var, wbr
Image and Multimedia area, img, map
Embedded Content None allowed
Scripting None allowed
Demarcating Edits del, ins
Table Content caption, col, colgroup, table, tbody, td, tfoot, th, thead, tr
Forms label, meter, output, progress
Interactive Elements details, menu, menuitem, summary
Web Components None allowed
Obsolete and Deprecated acronym, big, center, font, strike

 

Attributes (by tag):

Element Permitted Attributes
ALL align, class, disabled, id, style, tabindex, title
a href, name, rel, target
bdi dir
blockquote cite
col bgcolor, char, charoff, span, valign, width
colgroup bgcolo, char, charoff, span, valign, width
dd nowrap
font color, face, size
hr color, noshade, size, width
img alt, border, height, hspace, name, src, srcset, width, vspacesrc
ins cite, datetime
label for
menu type, label 
menuitem checked, disabled, icon, label, radiogroup, type
meter value, min, max, low, high, optimum
output for, form, name
progress max, value
q cite

 

Additional Information

The OWASP wiki on Cross-Site Scripting contains a great deal of information on vulnerabilities, testing, and preventative measures related to XSS.

If you would like to request an additional element or attribute be considered for white-listing, please open a ticket with BP3 Support to explain your use case.

Have more questions? Submit a request

Comments

Powered by Zendesk