Disabling javascript in specific block/div (containing suspect HTML)?

Is it, in any way, possible to disable the browsers execution of script inside a block/section/element ?

My scenario is, that I'm letting my (future) users create "rich content" (using CK-editor). Content that wil later be shown to other users - with all the dangers that imply: xss, redirection, identity theft, spam and what not...

I've, more or less, given up on trying to "sanitize" the incomming XHTML开发者_开发百科, after seeing how many known "vectors of attack" there are: http://ha.ckers.org/xss.html

What I'm really looking for is something like:

< div id="userContent">< scriptOFF>

suspect HTML

< /scriptOFF>< /div>

The ideal way is to not accept html/javascript from the end users. If you are okay with that limitation, you just need to make sure you encode the output according to the appropriate context. Don't re-invent the wheel, just use an existing library for that purpose.

But if you must accept HTML, use a library like OWASP's ANTI-SAMY or HTML Purifier. They were built exactly for this purpose.

You have to sanitize the input, there is no way to selectively disable javascript that I know of.

It is important to use a whitelist of allowed tags, not a blacklist. That way it should be possible to do it safely.

Even if you used a "noscript" tag or a "textarea" tag its sill xss. Whats keeping the attacker from injecting closing tags?

< div id="userContent">< scriptOFF>

<?=$_GET['xss']?>

< /scriptOFF>< /div>

But its still xss:

http://localhost/xss.php?xss=< /scriptOFF>< /div> <script> alert(/still_xss/) </script>

Yes, but that would "whitelist" would be HUGE - and I'm far from competent enough to detect subtle loopholes, alá those described here: http://ha.ckers.org/xss.html

This would need to be a "community effort" - looking at HTML-purifier (http://htmlpurifier.org) now...

I just thought it would be great to have such a tag to prevent 99% of the XSS "vectors"

• Can "anyone in power" please convince the browser-makers to implement it : )

Edit: Alright. HTML-purifier it is! - thanks to everybody for replying : )

@sri mentioned where to find "html5 iframe sandbox" information, here is a test script.

What you should see is "Browser supports iframe sandbox attribute :)" is you are viewing in Chromium.

Might also get positive results in khtml/webkit based browsers like phone browsers. Opera 11, Firefox 3.6 and Firefox4 have yet to implement the sandbox attribute.

Article explaining background and current state at gnubyexample.blogspot.com

No, but then again you should definitely not be allowing your users to hand-feed code into the page in the first place.

Don't attempt to sanitize Javascript; do not allow Javascript. In fact, do not allow HTML at all. Write your own limited markup language (ala BBCode) or allow a select few HTML tags if you really have to.

i.e. Be additive rather than subtractive with your security endeavours.