Skip to content

docs: add CSS-based XSS and privacy leak prevention to non-goals #646

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Feb 22, 2022
Merged

docs: add CSS-based XSS and privacy leak prevention to non-goals #646

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
22 changes: 22 additions & 0 deletions docs/goals.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -150,6 +150,28 @@ that bleach properly strips or escapes language-specific syntax like
Angular templates before using bleach-sanitized output with your
framework or template language.

Protect against CSS-based XSS attacks in legacy browsers
--------------------------------------------------------

Bleach will not protect against CSS-based XSS vectors that only worked
in legacy IE, Opera, or Netscape/Mozilla/Firefox browsers. For
example, it will not remove ``expression`` or ``url`` functions in CSS
component values in style elements or attributes and `other vectors
https://html5sec.org/#css`_.


Protect against privacy, cross site, or HTTP leaks
--------------------------------------------------

Bleach does not prevent output from fingerprinting users or leaking
information about users via requests to external sites. For example,
it will not remove CSS Media Queries or tracking pixels.

See also:

* `browser leaks https://browserleaks.com/`_
* `HTTP leaks https://github.com/cure53/HTTPLeaks`_
* `XS leaks https://xsleaks.dev/`_
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should probably add protecting users from clicking on urls that have malicious or harmful content. I think that's come up a few times and we haven't explicitly stated it's a non-goal.

Also, this non-goals list is pretty long. Maybe there's a better way to think about this? Maybe we can list Bleach's goals and then list everything else in a "These are the other things you should be thinking about that Bleach doesn't cover...." section?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should probably add protecting users from clicking on urls that have malicious or harmful content.

Good call! In "Safely create links" we have:

Bleach does not try to verify the validity or safety of the domains linked to beyond being well-formed

so it seems weird to duplicate that into non-goals.

Maybe there's a better way to think about this?

Agreed! Maybe rewording them and moving them to FAQ page?

The non-goals is already unwieldy and could be unbounded. We could also cover some other common issues in it and link to it from the issue bug template with some "hey did you check the FAQ?" text.

Hopefully it'd make people more likely to read the goals page too.


Bleach vs html5lib
==================
Expand Down