Published 15 years 2 months ago • Last updated April 11, 2025 • ⏱️ 3 min read
So I hope you've enjoyed our blog fight between me and Pádraic Brady. I sense a lack of a sense if humour in his last post :( his blanket claims that regex html validation sucks were obviously unjustified. Anyway I was waiting for a cool XSS hole in HTMLReg from him, it never came :( he did raise a valid point about a "clickjacking" threat so I decided to update HTMLReg/CSSReg to enable a site to disable all CSS positioning. Thanks very much Pádraic for reporting this issue!
HTMLReg and CSSReg now have the option "disablePositioning" this will stop you from be able to define elements which overlap each other, which is useful in a validation scenario not a iframe sandbox scenario (which HTMLReg was originally intended). It's quite easy to use:-
HTMLReg.disablePositioning = true; alert(HTMLReg.parse("<div style=position:absolute;></div>")); // <div></div>
I didn't stop there while I had my IDE open, I decided to add a validate HTML option, using the new "DOMParser" feature. As I looked deeper into the feature I wish I hadn't bothered :( when a invalid XML markup is encountered IE throws exception. FF, Op, Webkit doesn't. Webkit transforms XML and adds a parsing error node/FF entitiy encodes. Ugh. So anyway hopefully I made a cross browser solution which will prevent any invalid HTML markup. Anyway this is what I came up with that should work on newer browsers and older versions of IE:
StringtoXML = function (text){ try { if(window.DOMParser) { var parser=new DOMParser(); var doc=parser.parseFromString(text,'text/xml'); var xml = (new XMLSerializer()).serializeToString(doc); xml = xml.replace(/^<\?[^?]+\?>\s*/,''); if(/<parsererror[^>]+>/.test(xml)) { return 'Invalid HTML markup'; } else { return xml; } } else if(window.ActiveXObject){ var doc=new ActiveXObject('Microsoft.XMLDOM'); doc.async='false'; doc.loadXML(text); if(!doc.xml) { throw {}; } return doc.xml; } else { return text; } } catch(e) { return 'Invalid HTML markup'; } }
An excellent bug was found by Paul Stone as a result of this blog fight :) In Firefox RC4 & latest Chrome he noticed that HTMLReg was allowing invalid CSS markup, as he quite rightly pointed out HTMLReg was checking if cssText contained something in RC4 but it wasn't passing the check as a result the invalid CSS was being allowed. The fix for this was quite simple and involved removing the style attribute if the cssText check wasn't passed. This didn't create a security breach as the invalid CSS was just that invalid and other browsers such as IE didn't allow this markup to be executed but it was a cool bug since HTMLReg should not allow this invalid string.
The vector looked like this:-
<div style="xxx">test</div>
The fix was simply to do this:-
if(element.getAttribute("style") !== '' && element.getAttribute("style") !== null && element.style.cssText !== '') { ... } else { //drop style attribute if it exists element.style.cssText = null; element.setAttribute("style",""); element.removeAttribute('style'); }
HTMLReg is in the ring waiting for you, please get in your corner and try your luck. I doubt you can win :)