Re: DOMDocument and <script> tag - XSS test

From: Anthony Ferrara Date: Mon, 16 Jul 2012 11:31:09 +0000

Subject: Re: DOMDocument and <script> tag - XSS test

References: 1 Groups: php.internals

Request: Send a blank email to [email protected] to get a copy of this message

The problem is that you're escaping incorrectly for the context. It takes
more than just htmlspecialchars to escape for a javascript data context.

Check this out:

https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#RULE_.233_-_JavaScript_Escape_Before_Inserting_Untrusted_Data_into_JavaScript_Data_Values


Anthony

On Mon, Jul 16, 2012 at 12:54 AM, Raymond Irving <[email protected]> wrote:

> Hello,
>
> I'm having a problem with the DOM parser:
>
> If I load the following using DOMDocument->loadHTML():
>
> <script type="text/javascript"><!--
>    var d="&quot;;alert('This is an XSS test'); //";
> </script>
>
> it will be converted to:
>
> <script type="text/javascript"><!--
>    var d="";alert('This is an XSS test'); //";
> </script>
>
> This is because parser is substituting '&quot;' for  '"'.
>
> Is there a way to prevent this from happening?
>
> __
> Raymond
>

Thread (5 messages)

Raymond IrvingMon, 16 Jul 2012 04:54:12 +0000
Anthony FerraraMon, 16 Jul 2012 11:31:09 +0000
Raymond IrvingTue, 17 Jul 2012 01:30:10 +0000
Anthony FerraraTue, 17 Jul 2012 02:25:36 +0000
Adam Jon RichardsonTue, 17 Jul 2012 05:03:16 +0000

« previous	php.internals (#61288)	next »

From:	Anthony Ferrara	Date:	Mon, 16 Jul 2012 11:31:09 +0000
Subject:	Re: DOMDocument and <script> tag - XSS test
References:	1	Groups:	php.internals
Request:	Send a blank email to [email protected] to get a copy of this message