Re: DOMDocument and <script> tag - XSS test

From: Date: Tue, 17 Jul 2012 01:30:10 +0000
Subject: Re: DOMDocument and <script> tag - XSS test
References: 1 2  Groups: php.internals 
Request: Send a blank email to [email protected] to get a copy of this message 
Hi Anthony,

Thanks for the feedback. I do get your point about escaping for JavaScript
but the example shown was just to highlight the entity substitution issue
which could lead to unexpected results. In this case a developer might want
to use jQuery to append some html escaped values to an element which would
result in an error of a possible XSS attack.

IMO there should be a feature to control or prevent this behavior.

__
Raymond

On Mon, Jul 16, 2012 at 6:31 AM, Anthony Ferrara <[email protected]>wrote:

> The problem is that you're escaping incorrectly for the context. It takes
> more than just htmlspecialchars to escape for a javascript data context.
>
> Check this out:
>
>
> https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#RULE_.233_-_JavaScript_Escape_Before_Inserting_Untrusted_Data_into_JavaScript_Data_Values
>
>
> Anthony
>
>
> On Mon, Jul 16, 2012 at 12:54 AM, Raymond Irving <[email protected]>wrote:
>
>> Hello,
>>
>> I'm having a problem with the DOM parser:
>>
>> If I load the following using DOMDocument->loadHTML():
>>
>> <script type="text/javascript"><!--
>>    var d="&quot;;alert('This is an XSS test'); //";
>> </script>
>>
>> it will be converted to:
>>
>> <script type="text/javascript"><!--
>>    var d="";alert('This is an XSS test'); //";
>> </script>
>>
>> This is because parser is substituting '&quot;' for  '"'.
>>
>> Is there a way to prevent this from happening?
>>
>> __
>> Raymond
>>
>
>

Thread (5 messages)

« previous php.internals (#61330) next »