Are HTML-only widgets secure?

I would like to display some boxes on random pages through a browser plug-in. The content of these boxes is also random.

Is a simple check to remove scripts from said boxes enough开发者_运维百科 to offer a user a safe experience?

Do I have to put the boxes in iframes?

Do I have strip off additional code from HTML? (is removing 'script' tags enough?)

Do you know of some library that can do that automatically?

Do I have to put the boxes in iframes?

Yes or no, depending on your definition of safe. That will not stop the scripts from initiating downloads of malware, redirecting the user to a phishing page, XSRFing a poorly designed site the user is currently logged into.

Is a simple check to remove scripts from said boxes enough to offer a user a safe experience?

No. There are many ways to embed scripts, and simple checks rarely get it right. For example, scripts can be embedded in links, CSS, SVG, data: URLs, etc. Don't roll your own HTML sanitizer.

Directly relevant to your question about safe HTML widgets though is sandboxed JavaScript. See http://code.google.com/p/google-caja/wiki/CorkboardDemo

No, plane HTML can still be malicious. An <iframe> could be used to load a drive-by-exploit from any website. an <img> tag could be used to exploit a GET based Cross-Site Request Forgery(CSRF) vulnerability. A POST based CSRF exploit would require one line of javascript or some user interaction.

Removing javascript form html is far more complex than just removing script tags. HTMLPurier is comprised of hundreds of regular expressions and its the best method of removing javascript, but its not perfect.

That all depends on from where the content is coming from and what kind of content it is.

For example, if the content is just text from your site, you might want to filter out HTML, just in case.