Skip to page content or Skip to Accesskey List.


Main Page Content

Malicious Html Tags

Rated 3.74 (Ratings: 1)

Want more?

  • More articles in News
Picture of isaac


Member info

User since: 14 Dec 1998

Articles written: 67

A CERT Advisory says that all Web browsers, and all Web servers dynamically generating pages based on unvalidated input, can be affected by malicious HTML code, or abused by those posting it.

Tags that can be used for these purposes include: SCRIPT, OBJECT, APPLET, FORM, and EMBED.

You can find the advisory here. It suggests wariness when browsing untrusted links, and also that Web developers work to recode their dynamic sites to validate output - ensuring that undesirable tags (for example, posted to message boards) are blocked.

Security information for servers from the following vendors will be posted at the URLs linked below:

Is anyone aware of how safe existing popular applications (major message boards, etc) are? Personally, it seems to me that this is a problem that many have been aware of for a long time, but maybe attackers are using new methods? The advisory mentions a number of different situations:

  • Malicious code provided by one client for another client
  • Malicious code sent inadvertently by a client for itself
  • Abuse of Other Tags
  • Abuse of Trust

and effects:

  • SSL-Encrypted Connections May Be Exposed
  • Attacks May Be Persistent Through Poisoned Cookies
  • Attacker May Access Restricted Web Sites from the Client
  • Domain Based Security Policies May Be Violated
  • Use of Less-Common Character Sets May Present Additional Risk
  • Attacker May Alter the Behavior of Forms

How do you ensure that your dynamic sites are safe from malicious code?

Isaac is a designer from Adelaide, South Australia, where he has run Triplezero for almost a decade.

He was a member and administrator of since its founding in 1998, designed the current site, and was a regular contributor on's direction-setting discussion list, theforum.

On the side, he runs Opinion, Hoops SA, Confessions, Daily Male, and Comments, as well as maintaining a travel gallery at

The access keys for this page are: ALT (Control on a Mac) plus: is an all-volunteer resource for web developers made up of a discussion list, a browser archive, and member-submitted articles. This article is the property of its author, please do not redistribute or use elsewhere without checking with the author.