Is it possible to make an xss with only html tags
Yes. It's trivial.
<div onmouseover="alert(1)" style="position:fixed;left:0;top:0;width:9999px;height:9999px;"></div>
Might want to save your work before trying that, though - the alert might show repeatedly as you move your mouse across the screen.
Of course, a better attack would involve destroying the div
as soon as the JavaScript is called, in order to make it look legitimate.
You should escape all output in order to avoid this.
Yes, almost all HTML tags allow you to declare an event handler. Some of these events could be triggered when the page loads without user interaction:
<img src=x onerror=alert(1) />
Event tags are not the only way to trigger xss:
<a href=javascript:alert(1)>xss</a>
One possilbe solution is to set the Content Security Policy for this page
X-Content-Security-Policy: unsafe-inline
Just make sure to actually test your solution. Don't take anyone's word. (Also the CSP is new)
Another option is PHP's HTMLPurifer which is more advanced than Ruby's Sanitize.
Yes: <img onerror=alert(document.cookie) src=1 />
The requirements for output escaping vary based on location in the document. Text that is meant to be in an HTML attribute must be escaped differently ('"
) than text intended to be in an HTML element (<>
), for example. The OWASP Enterprise Security API (ESAPI) is a good way to handle this, since it provides escaping mechanisms for all the different contexts. The Ruby version can be found on Github.