The Marquee Tag and XSS

A recent post in the ModSecurity mailing list prompted me to discuss a prevailing misconception regarding XSS protection. The poster requests a ModSecurity rule to block several HTML tags include "<li>" and "<marquee>".

However, while commonly associated with XSS those are HTML tags that are not normally part of an XSS attack. While the HTML payload, even if not a script, can deface the attacked site, these tags don't have more of a role in defacement than any other input. Some HTML tags such as "<div>" may be beneficial to defacement by enabling larger changes on the defaced page, but "li", "ul" and "marquee" seem pretty harmless to me.

Saying that, it might be prudent to block any HTML tag as there might be an XSS attack vector yet unknown that will take advantage of them, but then you would want to block every HTML tag, not just those listed. Can you block all HTML tags? Keep in mind that in many applications, mainly interactive ones, HTML input is valid and useful. If not, you may be able to just block "<" entirely to gain another layer of security.

"Marquee" is worth a special note: while you can find it sometimes in XSS vectors posted on the web, it is not part of the attack but rather part of the demo payload. We often see posted on the web attack vector such as this:

'">><marquee><h1>XSS</h1></marquee>

The reason is that if the attack succeeds the resulting injected HTML would scroll. However the keyword "marquee" is immaterial to the attack and would never be used in a real attack.  I once heard a good story from a pen-tester that found an XSS bug in an application and to prove it open a dialog saying "Gotcha!". He presented the results to the organizations and the developers promised to fix the issue, when he was back a fortnight later to examine the fix he found out that the developers checked the input for the word "Gotcha!". Marquee is not much different in this sense than Gotcha!