DOMDocument and <script> tag - XSS test

From: Raymond Irving Date: Mon, 16 Jul 2012 04:54:12 +0000

Subject: DOMDocument and <script> tag - XSS test

Groups: php.internals

Request: Send a blank email to [email protected] to get a copy of this message

Hello,

I'm having a problem with the DOM parser:

If I load the following using DOMDocument->loadHTML():

<script type="text/javascript"><!--
   var d="&quot;;alert('This is an XSS test'); //";
</script>

it will be converted to:

<script type="text/javascript"><!--
   var d="";alert('This is an XSS test'); //";
</script>

This is because parser is substituting '&quot;' for  '"'.

Is there a way to prevent this from happening?

__
Raymond

Thread (5 messages)

Raymond IrvingMon, 16 Jul 2012 04:54:12 +0000
Anthony FerraraMon, 16 Jul 2012 11:31:09 +0000
Raymond IrvingTue, 17 Jul 2012 01:30:10 +0000
Anthony FerraraTue, 17 Jul 2012 02:25:36 +0000
Adam Jon RichardsonTue, 17 Jul 2012 05:03:16 +0000

« previous	php.internals (#61271)	next »

From:	Raymond Irving	Date:	Mon, 16 Jul 2012 04:54:12 +0000
Subject:	DOMDocument and <script> tag - XSS test
Groups:	php.internals
Request:	Send a blank email to [email protected] to get a copy of this message