XSS - Which HTML Tags and Attributes can trigger Javascript Events?

Question

I\'m trying to code a secure and lightweight white-list based HTML purifier which will use DOMDocument. In order to avoid unnecessary complexity I am willing to make the fol

Answer 1

You might want to check these 2 links out for additional reference:

http://adamcecc.blogspot.com/2011/01/javascript.html (this is only applicable when you're 'filtered' input is ever going to find itself between script tags on a page)

http://ha.ckers.org/xss.html (which has a lot of browser-specific event triggers listed)

I've used HTML Purifier, as you are doing, for this reason too in combination with a wysiwyg-editor. What i did different is using a very strict whitelist with a couple of basic markup tags and attributes available and expanding it when the need arose. This keeps you from getting attacked by very obscure vectors (like the first link above) and you can dig in on the newly needed tag/attribute one by one.

Just my 2 cents..