Why use a whitelist for HTML sanitizing?

Question

I\'ve often wondered -- why use a whitelist as opposed to a blacklist when sanitizing HTML input?

How many sneaky HTML tricks are there to open XSS vulnerabilities?

Answer 1

I prefer to have both, I call it the "Black List with Relaxed White List" approach:

1. Create a relaxed "White List" of tags & attributes.
2. Create a "Black List for the White List", any tag/attribute in the black list SHOULD exist in the White List you created or else an error shows up.

This black list acts as an on-off switch for tags/attributes in the relaxed white list.

This "Black List with Relaxed White List" approach makes it much easier to configure the sanitizing filter.

As an example, the White List can contain all html5 tags and attributes. While the Black List can contain tags & attributes to be excluded.