I'm looking for a simple list of all the html attributes that can contain javascript that will automatically run when an action is performed. I know this will differ between browsers and versions but I'd rather be safer than sorry. I currently know of the following javascript attributes: onload, onclick, onchange, onmouseover, onmouseout, onmousedown, and onmouseup
Backstory: I'm getting a full html document from an untrusted source and I want to strip all javascript that could run from the original html document so I'm removing all script tags as well as any attributes that could hold javascript before its displayed in an iframe. For this implantation there is no server side processing and no way of sandboxing the code since I need to run javascript that is being added locally after all of the original javascript is removed.
I'm looking for a simple list of all the html attributes that can contain javascript that will automatically run when an action is performed. I know this will differ between browsers and versions but I'd rather be safer than sorry. I currently know of the following javascript attributes: onload, onclick, onchange, onmouseover, onmouseout, onmousedown, and onmouseup
Backstory: I'm getting a full html document from an untrusted source and I want to strip all javascript that could run from the original html document so I'm removing all script tags as well as any attributes that could hold javascript before its displayed in an iframe. For this implantation there is no server side processing and no way of sandboxing the code since I need to run javascript that is being added locally after all of the original javascript is removed.
Share Improve this question edited Feb 1, 2015 at 16:23 Deduplicator 45.7k7 gold badges72 silver badges123 bronze badges asked Jan 9, 2015 at 1:15 ScottScott 3,4855 gold badges30 silver badges49 bronze badges 2- Found some useful info and checks at html5sec.org – Scott Commented Jan 11, 2015 at 23:28
- You probably should just use a thoroughly tested HTML sanitizer library. – mb21 Commented Oct 20, 2018 at 10:03
2 Answers
Reset to default 16There are two places where Javascript can be used in HTML attributes:
Any
onEVENTattribute. I suggest just treating any attribute that begins withonas an event binding, and strip them all out.Any attribute that can contain a URI will be executed as Javascript if the URI uses the
javascript:scheme, such ashrefandsrc. A complete list is in
COMPLETE list of HTML tag attributes which have a URL value?
http://www.w3.org/TR/html401/interact/scripts.html#h-18.2.3
Scroll down to 18.2.3 Intrinsic events
I've had a similar requirement in a project. Don't forget to strip script elements, as well.