Whitelists for Select Widgets
Security improvements made in ThingWorx 8.4.1 to the Blog, Wiki, and HTML Text Area widgets and to the List and Grid HTML renderers. These updates resulted in a new configurable
Caja library from Google that specifies a whitelist of HTML elements and attributes that can be used with these widgets and renderers. The whitelists are listed below for convenience and are also available from Google.
Elements Whitelist
{
"description": [
"See http://code.google.com/p/google-caja/wiki/CajaWhitelists",
"The denied is not necessary but lets us document why they're denied."
],
"allowed": [
"A",
"ABBR",
"ACRONYM",
"ADDRESS",
"AREA",
"B",
"BDO",
"BIG",
"BLOCKQUOTE",
"BR",
"BUTTON",
"CAPTION",
"CENTER",
"CITE",
"CODE",
"COL",
"COLGROUP",
"DD",
"DEL",
"DFN",
"DIR",
"DIV",
"DL",
"DT",
"EM",
"FIELDSET",
"FONT",
"H1",
"H2",
"H3",
"H4",
"H5",
"H6",
"HR",
"I",
"IFRAME",
"IMG",
"INPUT",
"INS",
"KBD",
"LABEL",
"LEGEND",
"LI",
"MAP",
"MENU",
"OL",
"OPTGROUP",
"OPTION",
"P",
"PRE",
"Q",
"S",
"SAMP",
"SELECT",
"SMALL",
"SPAN",
"STRIKE",
"STRONG",
"SUB",
"SUP",
"TABLE",
"TBODY",
"TD",
"TEXTAREA",
"TFOOT",
"TH",
"THEAD",
"TR",
"TT",
"U",
"UL",
"VAR"
],
"denied": [
{ "key": "APPLET",
"reason": "disallow because allows scripting" },
{ "key": "BASE",
"reason":
"affects global state and could be used to redirect requests" },
{ "key": "BASEFONT",
"reason": "affects global state" },
{ "key": "BODY",
"reason": "a global level tag" },
{ "key": "FRAME",
"reason": "can be used to cause javascript execution" },
{ "key": "FRAMESET",
"reason": "only useful with banned elements" },
{ "key": "HEAD",
"reason": "a global level tag" },
{ "key": "HTML",
"reason": "a global level tag" },
{ "key": "ISINDEX",
"reason": "can be used to change page location" },
{ "key": "LINK",
"reason": "can be used to load other javascript, e.g. on print" },
{ "key": "META",
"reason": "can be used to cause page reloads" },
{ "key": "NOFRAMES",
"reason": "useless since frames can't be used" },
{ "key": "NOSCRIPT",
"reason": "useless since javascript must be loaded" },
{ "key": "OBJECT",
"reason": "allows scripting" },
{ "key": "PARAM",
"reason": "useless since applet and object banned" },
{ "key": "SCRIPT",
"reason": "allows execution of arbitrary script" },
{ "key": "STYLE",
"reason": "allows global definition of styles." },
{ "key": "TITLE",
"reason": "a global level tag" }
]
}
Attributes Whitelist
{
"description":
"A whitelist of allowed attributes by element and attribute name.",
"allowed": [
"TD::ABBR",
"TH::ABBR",
"FORM::ACCEPT",
"INPUT::ACCEPT",
"A::ACCESSKEY",
"AREA::ACCESSKEY",
"BUTTON::ACCESSKEY",
"INPUT::ACCESSKEY",
"LABEL::ACCESSKEY",
"LEGEND::ACCESSKEY",
"TEXTAREA::ACCESSKEY",
"FORM::ACTION",
"CAPTION::ALIGN",
"IFRAME::ALIGN",
"IMG::ALIGN",
"INPUT::ALIGN",
"LEGEND::ALIGN",
"TABLE::ALIGN",
"HR::ALIGN",
"DIV::ALIGN",
"H1::ALIGN",
"H2::ALIGN",
"H3::ALIGN",
"H4::ALIGN",
"H5::ALIGN",
"H6::ALIGN",
"P::ALIGN",
"COL::ALIGN",
"COLGROUP::ALIGN",
"TBODY::ALIGN",
"TD::ALIGN",
"TFOOT::ALIGN",
"TH::ALIGN",
"THEAD::ALIGN",
"TR::ALIGN",
"BODY::ALINK",
"AREA::ALT",
"IMG::ALT",
"INPUT::ALT",
"TD::AXIS",
"TH::AXIS",
"BODY::BACKGROUND",
"TABLE::BGCOLOR",
"TR::BGCOLOR",
"TD::BGCOLOR",
"TH::BGCOLOR",
"BODY::BGCOLOR",
"TABLE::BORDER",
"IMG::BORDER",
"TABLE::CELLPADDING",
"TABLE::CELLSPACING",
"COL::CHAR",
"COLGROUP::CHAR",
"TBODY::CHAR",
"TD::CHAR",
"TFOOT::CHAR",
"TH::CHAR",
"THEAD::CHAR",
"TR::CHAR",
"COL::CHAROFF",
"COLGROUP::CHAROFF",
"TBODY::CHAROFF",
"TD::CHAROFF",
"TFOOT::CHAROFF",
"TH::CHAROFF",
"THEAD::CHAROFF",
"TR::CHAROFF",
"INPUT::CHECKED",
"BLOCKQUOTE::CITE",
"Q::CITE",
"DEL::CITE",
"INS::CITE",
"*::CLASS",
"BR::CLEAR",
"FONT::COLOR",
"TEXTAREA::COLS",
"TD::COLSPAN",
"TH::COLSPAN",
"DIR::COMPACT",
"DL::COMPACT",
"MENU::COMPACT",
"OL::COMPACT",
"UL::COMPACT",
"AREA::COORDS",
"A::COORDS",
"DEL::DATETIME",
"INS::DATETIME",
"*::DIR",
"BDO::DIR",
"BUTTON::DISABLED",
"INPUT::DISABLED",
"OPTGROUP::DISABLED",
"OPTION::DISABLED",
"SELECT::DISABLED",
"TEXTAREA::DISABLED",
"FORM::ENCTYPE",
"FONT::FACE",
"LABEL::FOR",
"TABLE::FRAME",
"IFRAME::FRAMEBORDER",
"TD::HEADERS",
"TH::HEADERS",
"IFRAME::HEIGHT",
"TD::HEIGHT",
"TH::HEIGHT",
"IMG::HEIGHT",
"A::HREF",
"AREA::HREF",
"A::HREFLANG",
"IMG::HSPACE",
"*::ID",
"IMG::ISMAP",
"INPUT::ISMAP",
"OPTION::LABEL",
"OPTGROUP::LABEL",
"*::LANG",
"BODY::LINK",
"IFRAME::MARGINHEIGHT",
"IFRAME::MARGINWIDTH",
"INPUT::MAXLENGTH",
"FORM::METHOD",
"SELECT::MULTIPLE",
"BUTTON::NAME",
"TEXTAREA::NAME",
"SELECT::NAME",
"FORM::NAME",
"FRAME::NAME",
"IMG::NAME",
"A::NAME",
"INPUT::NAME",
"MAP::NAME",
"AREA::NOHREF",
"HR::NOSHADE",
"TD::NOWRAP",
"TH::NOWRAP",
"A::ONBLUR",
"AREA::ONBLUR",
"BUTTON::ONBLUR",
"INPUT::ONBLUR",
"LABEL::ONBLUR",
"SELECT::ONBLUR",
"TEXTAREA::ONBLUR",
"INPUT::ONCHANGE",
"SELECT::ONCHANGE",
"TEXTAREA::ONCHANGE",
"*::ONCLICK",
"*::ONDBLCLICK",
"A::ONFOCUS",
"AREA::ONFOCUS",
"BUTTON::ONFOCUS",
"INPUT::ONFOCUS",
"LABEL::ONFOCUS",
"SELECT::ONFOCUS",
"TEXTAREA::ONFOCUS",
"*::ONKEYDOWN",
"*::ONKEYPRESS",
"*::ONKEYUP",
"BODY::ONLOAD",
"*::ONMOUSEDOWN",
"*::ONMOUSEMOVE",
"*::ONMOUSEOUT",
"*::ONMOUSEOVER",
"*::ONMOUSEUP",
"FORM::ONRESET",
"*::ONSCROLL",
"INPUT::ONSELECT",
"TEXTAREA::ONSELECT",
"FORM::ONSUBMIT",
"BODY::ONUNLOAD",
"TEXTAREA::READONLY",
"INPUT::READONLY",
"TEXTAREA::ROWS",
"TD::ROWSPAN",
"TH::ROWSPAN",
"TABLE::RULES",
"TD::SCOPE",
"TH::SCOPE",
"OPTION::SELECTED",
"AREA::SHAPE",
"A::SHAPE",
"HR::SIZE",
"FONT::SIZE",
"INPUT::SIZE",
"SELECT::SIZE",
"COL::SPAN",
"COLGROUP::SPAN",
"IFRAME::SRC",
"INPUT::SRC",
"IMG::SRC",
"OL::START",
"*::STYLE",
"TABLE::SUMMARY",
"*::TABINDEX",
"A::TARGET",
"AREA::TARGET",
"FORM::TARGET",
"BODY::TEXT",
"*::TITLE",
"A::TYPE",
"INPUT::TYPE",
"LI::TYPE",
"OL::TYPE",
"UL::TYPE",
"BUTTON::TYPE",
"IMG::USEMAP",
"INPUT::USEMAP",
"COL::VALIGN",
"COLGROUP::VALIGN",
"TBODY::VALIGN",
"TD::VALIGN",
"TFOOT::VALIGN",
"TH::VALIGN",
"THEAD::VALIGN",
"TR::VALIGN",
"INPUT::VALUE",
"OPTION::VALUE",
"BUTTON::VALUE",
"LI::VALUE",
"HTML::VERSION",
"BODY::VLINK",
"IMG::VSPACE",
"COL::WIDTH",
"COLGROUP::WIDTH",
"HR::WIDTH",
"IFRAME::WIDTH",
"IMG::WIDTH",
"PRE::WIDTH",
"TABLE::WIDTH",
"TD::WIDTH",
"TH::WIDTH"
],
"denied": [
{ "key": "FORM::ACCEPT-CHARSET",
"reason": [
"Per bug 585, this is an infrequently used and poorly",
"understood attribute that could lead to mismatched encoding",
"attacks. Could be used to sneak content through a proxy in a",
"wrong encoding?"
] },
{ "key": "A::CHARSET",
"reason": [
"Per bug 585: Charset is disallowed since it allows overriding",
"of Content-type headers. A server might specify UTF-8 via the",
"header Content-type:text/javascript;charset=UTF-8, but an",
"embedding page might cause that file to be interpreted as UTF-7.",
"According to http://www.w3schools.com/TAGS/att_a_charset.asp: ",
"The charset attribute is not supported in any of the major browsers."
] },
{ "key": "A::REL",
"reason": [
"Can make an assertion about the entire page.",
"TODO(kpreid): Allow filtering rels to include e.g. 'nofollow'"
] },
{ "key": "A::REV",
"reason": [
"Can make an assertion about the entire page.",
"TODO(kpreid): Allow filtering rels to include e.g. 'nofollow'"
] },
"LINK::CHARSET",
"SCRIPT::CHARSET",
{ "key": "IMG::LONGDESC",
"reason": "Not supported by any major browser" },
{ "key": "IFRAME::LONGDESC",
"reason": "Not supported by any major browser" }
],
"types": [
{ "key": "IFRAME::ID",
"type": "ID", "optional": true,
"reason": [
"We allow a restricted set of attributes on IFRAMEs to allow them ",
"to be used as shims to work around IE layout bugs.",
"But we do not allow either NAME or ID since those are not ",
"required for shims and affect publicly visible browser global ",
"state like the frame graph."
] }
]