Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A for any cross site scripting information. Feel free to ask away. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Validation of CSP directives
Posted by: p0deje
Date: April 12, 2011 08:28AM

Hello slackers,

I currently work on CSP implementation. It has admin page for setting up policies. Apart from HTTP header, I place directives to <meta> tag. Like this:
print('<meta http-equiv="X-Content-Security-Policy" content="' . $directives . '" />');

It's necessary to validate directives as long as I put them to HTML. I currently got to regex:
[^( \.\*\/\-\:'self''none'a-zA-Z0-9]

Is this enough validation or I missed some XSS vectors?

---------
http://p0deje.blogspot.com



Edited 1 time(s). Last edit at 04/12/2011 09:01AM by p0deje.

Options: ReplyQuote
Re: Validation of CSP directives
Posted by: irsdl
Date: April 15, 2011 06:34PM

I think this can do what you want (white-list):
([\ ]*(allow|img-src|script-src|object-src|frame-src|report-uri|policy-uri))([\ \*\.\-\w\d]+;?)

Soroush Dalili
Soroush.SecProject.Com
SDL.me

Options: ReplyQuote


Sorry, only registered users may post in this forum.