Background
Brazos UI controls have been hardened against Cross-Site Scripting (XSS) vulnerabilities. One of the main methods for achieving these protections is through blanket sanitization of various controls to remove potentially exploitable HTML tags, attributes, and code. The security assumption is that unless one of these components is white-listed, it should be removed.
Protection Details
The information listed here is current as of Brazos UI version 5.6.0.
Affected Controls
- Output Text
- Read-Only Table
- The prepend and append text of Input controls
- The labels of all controls
White List
The list of permitted elements and attributes are provided here to assist BPM developers in working within the bounds of XSS prevention.
Elements by type
| Element Type | Permitted Elements |
| Browsing Context | iframe |
| Content sectioning | address, article, aside, header, h1, h2, h3, h4, h5, h6, nav, section |
| Text Content | blockquote, dd, div, dl, dt, figcaption, figure, hr, li, main, nl, ol, p, pre, ul |
| Inline Text Semantics | a, abbr, b, bdi, br, cite, code, data, dfn, em, i, kbd, q, rb, rp, rt, rtc, ruby, s, samp, small, span, strong, sub, sup, time, tt, var, wbr |
| Image and Multimedia | area, img, map |
| Embedded Content | None allowed |
| Scripting | None allowed |
| Demarcating Edits | del, ins |
| Table Content | caption, col, colgroup, table, tbody, td, tfoot, th, thead, tr |
| Forms | label, meter, output, progress |
| Interactive Elements | details, menu, menuitem, summary |
| Web Components | None allowed |
| Obsolete and Deprecated | acronym, big, center, font, strike |
Attributes (by tag):
| Element | Permitted Attributes |
| ALL | align, class, disabled, id, style, tabindex, title |
| a | href, name, rel, target |
| bdi | dir |
| blockquote | cite |
| col | bgcolor, char, charoff, span, valign, width |
| colgroup | bgcolo, char, charoff, span, valign, width |
| dd | nowrap |
| font | color, face, size |
| hr | color, noshade, size, width |
| img | alt, border, height, hspace, name, src, srcset, width, vspacesrc |
| ins | cite, datetime |
| label | for |
| menu | type, label |
| menuitem | checked, disabled, icon, label, radiogroup, type |
| meter | value, min, max, low, high, optimum |
| output | for, form, name |
| progress | max, value |
| q | cite |
Additional Information
The OWASP wiki on Cross-Site Scripting contains a great deal of information on vulnerabilities, testing, and preventative measures related to XSS.
If you would like to request an additional element or attribute be considered for white-listing, please open a ticket with BP3 Support to explain your use case.
Comments
0 comments
Please sign in to leave a comment.