[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [WEB SECURITY] Question about escaping strings in javascript
- From: "Eric Rachner" <eric@xxxxxxxxxx>
- Subject: RE: [WEB SECURITY] Question about escaping strings in javascript
- Date: Fri, 30 May 2008 15:10:53 -0700
------=_NextPart_000_012E_01C8C267.5E68B6C0
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
Hi Evert,
The Right Thing to do is to use a white-listing approach and encode
*everything* except alphanumerics and a very limited set of characters
considered safe.
In the opposite approach, which you propose below, encodes only a limited
set of characters, and is bound to fail in some obscure case where some
random browser does the wrong thing, or upon the discovery of some novel
attack technique.
While working at Microsoft, Michael Eddington & I designed a library to do
this which was later altered slightly and released to the public as the
Microsoft Anti-Cross Site Scripting Library[1,2].
Mike subsequently re-implemented the same techniques in a new library called
ReForm[3], which has been adopted by OWASP.
Also, Justin Clarke has implemented the same design in his AntiXSS for Java
library[4].
By the way, Mike recently said a few words about AntiXSS/ReForm at the OWASP
AppSec Europe conference[5] in Belgium. In particular, he emphasized that
the purpose of using such a conservative design was to be
absolutely future-proof. In the years since late 2004, when we first
implemented this design at Microsoft, there have been no XSS cases
discovered which would not have been fixed through correct use of this
library. Furthermore, the one and only patch that we've had to apply to
date was to work around a bug in the Microsoft VBScript run-time.
- Eric
[1]
http://www.microsoft.com/downloads/info.aspx?na=22&p=1&SrcDisplayLang=en&Src
CategoryId=&SrcFamilyId=&u=%2fdownloads%2fdetails.aspx%3fFamilyID%3defb9c819
-53ff-4f82-bfaf-e11625130c25%26DisplayLang%3den
[2] http://blogs.msdn.com/michael_howard/archive/2006/02/27/540137.aspx
[3] http://www.owasp.org/index.php/Category:OWASP_Encoding_Project
[4] http://www.gdssecurity.com/l/b/2007/12/29/antixss-for-java/
[5] https://www.owasp.org/index.php/OWASP_AppSec_Europe_2008_-_Belgium
-----Original Message-----
From: Evert | Collab [mailto:evert@collab.nl]
Sent: Friday, May 30, 2008 2:08 PM
To: websecurity@webappsec.org
Subject: [WEB SECURITY] Question about escaping strings in javascript
Dear list,
Looking at : http://code.google.com/p/doctype/wiki/ArticleXSSInJavaScript
, they present a list of characters that should always be escaped in
Javascript. This brings me to a few questions, which I hope some of
the smart people on this list can answer.
1. Does this PHP function do its job for escaping javascript:
static function javascript($string) {
$replace = array(
"\t" => '\t',
"\n" => '\n',
"\r" => '\r',
"\x85" => '\u0085',
"\x20\x28" => '\u2028',
"\x20\x29" => '\u2029',
"'" => '\x27',
'"' => '\x22',
'\\' => '\\\\',
'&' => '\x26',
'<' => '\x3c',
'>' => '\x3e',
'=' => '\x3d',
);
return
str_replace(array_keys($replace),array_values($replace),$string);
}
2. Does the latter function only work with the output encoding is
UTF-8, or would it still be applicable to ISO-8859-1. I realize this
probably isn't usable for UTF-7.
3. PHP's built-in function addslashes() only escapes the single quote,
double quote and null character. Is this not sufficient?
4. Assuming question #3 is true, how can \u2028 (line separator),
\u2029 (paragraph separator) and \u0085 (next line) be used in an
exploit?
Thanks a lot for your answers, I'm intending to write a article on
this subject on www.rooftopsolutions.nl, but I want to make sure I got
my facts straight.
Evert
----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec
Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/
Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA
------=_NextPart_000_012E_01C8C267.5E68B6C0
Content-Type: application/ms-tnef;
name="winmail.dat"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="winmail.dat"
eJ8+IgAWAQaQCAAEAAAAAAABAAEAAQeQBgAIAAAA5AQAAAAAAADoAAEIgAcAGAAAAElQTS5NaWNy
b3NvZnQgTWFpbC5Ob3RlADEIAQYABwABAAAAAAAAAQOQBgDYEAAANgAAAAsAAgABAAAAAwAmAAAA
AAALACkAAAAAAAsAKwAAAAAAAwAuAAAAAAACATEAAQAAABgAAAAAAAAABN1zFt7gGEepTJlV9AU2
iASgNgAeAHAAAQAAAD0AAABbV0VCIFNFQ1VSSVRZXSBRdWVzdGlvbiBhYm91dCBlc2NhcGluZyBz
dHJpbmdzIGluIGphdmFzY3JpcHQAAAAAAgFxAAEAAAAbAAAAAcjCmyBwg7mB24gkQFGCWWrMielz
ngAAcI3QAAsAAQ4AAAAAAgEKDgEAAAAYAAAAAAAAAATdcxbe4BhHqUyZVfQFNojCgAAAAwAUDgEA
AAAeACgOAQAAADAAAAAwMDAwMDAwMgFlcmljQHJhY2huZXIudXMBZXJpY0ByYWNobmVyLnVzIChJ
TUFQKQAeACkOAQAAADAAAAAwMDAwMDAwMgFlcmljQHJhY2huZXIudXMBZXJpY0ByYWNobmVyLnVz
IChJTUFQKQACARQ6AQAAABAAAADEgVLD/ojSRarneUEYAz0oAwDeP59OAAADAPE/CQQAAAMACVkB
AAAACwABgAggBgAAAAAAwAAAAAAAAEYAAAAAA4UAAAAAAAADAAWACCAGAAAAAADAAAAAAAAARgAA
AAAQhQAAAAAAAAsAEYAIIAYAAAAAAMAAAAAAAABGAAAAAAaFAAAAAAAAAwASgAggBgAAAAAAwAAA
AAAAAEYAAAAAAYUAAAAAAAALABuACCAGAAAAAADAAAAAAAAARgAAAAAOhQAAAAAAAAMAHoAIIAYA
AAAAAMAAAAAAAABGAAAAABiFAAAAAAAACwA2gAggBgAAAAAAwAAAAAAAAEYAAAAAgoUAAAEAAAAD
APSBAyAGAAAAAADAAAAAAAAARgAAAAABgQAAAAAAAAUA9YEDIAYAAAAAAMAAAAAAAABGAAAAAAKB
AAAAAAAAAAAAAAMA+IEDIAYAAAAAAMAAAAAAAABGAAAAABCBAAAAAAAAAwD5gQMgBgAAAAAAwAAA
AAAAAEYAAAAAEYEAAAAAAAALAAGCAyAGAAAAAADAAAAAAAAARgAAAAAkgQAAAAAAAAsAAoIDIAYA
AAAAAMAAAAAAAABGAAAAAByBAAAAAAAACwADggMgBgAAAAAAwAAAAAAAAEYAAAAALIEAAAAAAAAD
AASCAyAGAAAAAADAAAAAAAAARgAAAAApgQAAAAAAAAMABYIDIAYAAAAAAMAAAAAAAABGAAAAACqB
AAAAAAAAHgAKggMgBgAAAAAAwAAAAAAAAEYAAAAAJ4EAAAEAAAABAAAAAAAAAAMADYIDIAYAAAAA
AMAAAAAAAABGAAAAABKBAAABAAAAAwAOggMgBgAAAAAAwAAAAAAAAEYAAAAAE4EAAAEAAAAeABKC
AyAGAAAAAADAAAAAAAAARgAAAAAhgQAAAQAAAAEAAAAAAAAACwAVggMgBgAAAAAAwAAAAAAAAEYA
AAAAA4EAAAAAAAADABaCAyAGAAAAAADAAAAAAAAARgAAAAAjgQAA////fwsAF4IDIAYAAAAAAMAA
AAAAAABGAAAAACaBAAAAAAAACwAfDgEAAAACAfgPAQAAABAAAAAE3XMW3uAYR6lMmVX0BTaIAgH6
DwEAAAAQAAAABN1zFt7gGEepTJlV9AU2iAMA/g8FAAAAAgEJEAEAAADpCgAA5QoAABcTAABMWkZ1
pSTnhgMACgByY3BnMTI1IjIDQ3RleAVCYmn+ZAQAAzABAwH3CoACpAPk/wcTAoAQcwBQBFYIVQey
EaUnDlEDAQIAY2gKwHNl3HQyBgAGwxGlMwRGFDfeMBKsEbMI7wn3OxifDjB2NRGiDGBjAFALCQFk
MwY2FtALpiBIaSBFcnYEkHQsCqIKhAqAVMRoZQfwaWdoBUAewIELgGcgdG8gZB/QCw9RH8F1FJAg
YSB3Ux9wDrAtbAQAdB+CYSxwcANgANBoILBuZI4gCfAFoAEAICplHbEUeXQfcioigHhjZcsFMQdA
cBRgbnUHgAUQXmMEICJSIMAjIiAhQG2HIQEicBSRIG9mIBRS/wDQDrAUgCawAiAAkASBJiLQYWZl
Lh4KSQOgI2B1HuBvIdBvAJAOsCG3LOsg0iIheQhgICHhKcEe4PRiZRgwdyqwIpQEIAIg/mwlsCDA
Jd8m5iqwIlIPUe0G4HUiYR/BZgtwAyALgHctwANwKYFiBPAIcB7gY/5hIJEg4CfRMHQm8CJgA3D7
K+ADYHcUkAXAH/AHkSlivncDYB+SH3IqsAWxdSnAvylED0EFoCWDJpEwg241oW0DIGECQADQax+w
BZBorQMAcQpQKGtXH3BsMYHtBbBrIYMFQE0N4ANgMICfAYAqsDnBFGA2sUVkD0DHH5AfwAOgJiBJ
H+AHkP0fEG4toS0yMsAKwCWwH8T3I2EEICrUdzFgLUA24BMB/wdAJyEtoiFAHyEtAiJhGKDPOOAx
YS+zKWJwdQJgDeAfILAzdDnHEUACMGktQ7c58QZBKfJTBQMfgkw8lGBbMSwyXShrOcBrfzHhQRAU
kDexAjAtARigLfsHcAtQZQeAAjBAYh7RKCD/MKE3VwQgMFEgwDwgB+A8ho0xUGw44CJwUmVGBbDw
bVszXSq2FGAvUQnhLyCwH/AFMC2hYiWwT1fIQVNQKGtBbDCAKrD+SiCAIXESoAtgOTAe4EuSP0cP
SBI71DBCPXJCglhTRwXwAhAFwEphdjxnW5o0RNxCPOEzomF5OlL/RdEYoCPwRoMoIA8wILEoQHsH
4DkRZCUBL3FCZFHhL/9KhDmCKWJM0xFAIdAGYEFQ/kUIcCmgMTECIChAGKAioFBlWzVdMEJCLABn
8mkkoC4gO6ADoAqxIXB/MQBO0SqwHtFPsCRhAJB690eTWCVBAHIroyaRIIAfgv9GACIiJ2MEkFKA
IXAdsFC2/z4SH8Er8ArjCoABoDCACkDbDrAtAWZXADERLSHhJpD7W1QpYnlAMCdBXqEj8D5DsiAB
0DA0KrJL8Xce4PxmaRSABUBPfA9RUMU5nL8pYTEhFGBgAUvTNoAgUeK/MVJm8TV1LaE9tQhgbCJw
bzaABUBoyGWgeEeTA2B1+x8gJ2FyVTEFQCCCJpE9Y/s8hVtRRghwaGIEYBigaEPfLNEgoSJhLOMK
sHQiIV1T/WVwJ2ABFGAvsyHBLQEfwr9kgmClORIgsG0BJTNibSBzMEJBrFZCQ4QyQC+QLfchcAeA
KGstHZAk0R4KRJAOXQyCS4ACQHA6Ly9ad3oQLi1wOeUuBaBtui8f8Hcs8CIAVqAvC4AFAhAuMWBw
eD9uYQA9MjImcD0xJjBTcmNEBAALUXlMWQBwZz0J8H0CQz5hZ6EFsHlJZD19AkZIEMMDEH7TdT0l
MgVwe0YXgBIUoDARc3wTJTNmDX9VRIHAAQFiOWM4EDE5LTWB0GYtNGBmODItYjAAg2BlCDExNg4w
MTMwY/sOMIAQNn1JgnILkHh6RMATeVoCYG9ngWBtc2TObnrjelE6ol9oLCALES4vCsAUUF/xL2TB
Ni8EMDKKEDcvNTQw/YSAN3wTeGtK8HleiUF8MJmNYHJne8EBAHguJGCUcC9+ZjpM019FIqLpH4Ff
UANgam2heGtTMP15XmdWoBSQMQEhAG8AevK+bIewihKKsA4gihA5iZCVQpF4BBAtUiEtalJx7i94
a1qAeVdzjQ+OGI9EF1j0j5BZc19kwThfLe5fWuV3S5uyTwUQWxB8cO0DIE0HkCggZyEgm7IeBMpG
A2E6HZQgfBKhSjBdeXFbAMADEB/AOiMSdPZAGBGewS4s8FqQHgQGYL8CMJ3wnbAPMFSjVKAghJCX
KrCaEmSwOqJxUE0eZe+fYGVhRiGS5ECjsSHBksEfjcKglUEQkGKd8FtXRQJCBgBFQ1VSSVT6WVqQ
UUjBIXA08VbUB5D1MVBwXrN0BRAfkEjjlUJ7BPQeCkRjwS1BIWAd+0x/YuA5Rp3weaUispKAYuBn
3zjgeuOOkB/wJxB5WaB6APlFwGkvBxBb4TjgUeEpMP9SYnZFHgRoQ3EBGKAUkAIw7y0jZdEmnF1T
c4kwa2IHQP9UkUuyqAQtoTBRYTVSYgT0/1tQH2EvUajESCJygVYjSLL/p2Iu0SrUO7CJMFmhMIQm
oP9hNUfDAMCeQVmgKaA44TTzv25zZdExUEkRAIBlcHIoa5oxW1BEM1QPUVBIWNCvYlAioKdjH/J0
BCBqMND3UhOoF6lYOh4KW2DCZCFgT1/RQVC+56lYKCSopCnvAzAAAMG/wmUkGKALUWRBZj10MSbw
eSjFr8JkIgpcDIAiwmU9PiAnXclhJx31yE/JUW7JnG5ryo/I2XLJnHLNT8jZeKw4NcmUyhR1miE1
0A/30RoMAdSxOMmQ0lUB0NUgb9MP1B+UUNVKOdYfyNcnd8mWygXUwDfZL8Jm2sAn/druMtv/3QfJ
YMlg3abKFNfhZN7P3Qcm3a824e/dB7I8454zY+S/3Qc+5m/XceDnn90WPek/ZOpfwmJ+KRmw7V8/
8WJxtUeooV/1xuUox4NfRdC0UMSAxuX8KSzxZFKACkHx+sSW7oXZ7p1cfR4KHgQyvedkU/8+cr7n
LONz8wPwI2ApVFcAH0EAp/GPtSASYTVVVEb8LTg0g2tEIQCokQMQAyA/YRFyog3gAaA44R/BSVP+
T/wA0dCDEL3RO7AYoAdA/10BPVRhNSHhpJACYCWwBAB/zTBtwv3zUiL70osgHgQz61tQvqEnL1F1
nzFG8Gxh/772TCBWoAtgs6DzUcUALOP/tLQzdF6iOOE3sGuwb+Gwpf8f8EERBtUiQySQ/TEmx/8R
f741a6JGAA+wDeAS8BAgP/UeBDRbUEGU0CSgH4K4FvggIzMgE3awb+GJMbxT+9WlW2AoIUBwYRSQ
G5E24P8CAPKQtVbYtQ7AD1IY8CHAvyIwDzgiQ9KVDsA8IHisoP8O4sUAYREggbUTvHGwpSPQvYVA
byEAC0UeZryga1axfy1Aa7FSIisxPpG8sy7RSf4nMqCcQCEQImAfhTPQKfP/dDGvY7uCuhcvQUYB
kGK7gv96EmLSH8CXAGHSuGKgQSqw/3TQrKA7sIlQsdEfwZ8QRdPfMSE7sH6grKCwpW1iMScB/2Px
qLAwED9hKGueE5r/Iw/vJB8lLyY/nSdKFVBJEG3gcbuCSVJDnfBlsKTwZt9AAIXwrWI8IKygI6R3
N/ruSGjSLTC4Fj9DcGPBS2H7tpBDYFejwCxRkuShwTAg/0PkZdGvQInDlxCwpXmppHv/k4C8IXuw
o7mVi6WhxCJhEfR2abIAUlHwLz8wTmXAdzGLHCBDAVs0AaFAS+Bk75GAeHkn40zhQ7uCRCAWgP8/
AGNANF8O4TnhnEB644oAM1sQe7A4MzyAilA0QglkwEU0ixA0REJBBXhqfT5gAAAAAwANNP0/pQYD
AA80/T+lBgIBFDQBAAAAEAAAAE5JVEH5v7gBAKoAN9luAAACAX8AAQAAADEAAAAwMDAwMDAwMDA0
REQ3MzE2REVFMDE4NDdBOTRDOTk1NUY0MDUzNjg4NDRBMDM2MDAAAAAAAwAGEFxkl0gDAAcQ4gsA
AAMAEBAAAAAAAwAREAAAAAAeAAgQAQAAAGUAAABISUVWRVJULFRIRVJJR0hUVEhJTkdUT0RPSVNU
T1VTRUFXSElURS1MSVNUSU5HQVBQUk9BQ0hBTkRFTkNPREUqRVZFUllUSElORypFWENFUFRBTFBI
QU5VTUVSSUNTQU5EQVZFAAAAAFYf
------=_NextPart_000_012E_01C8C267.5E68B6C0
Content-Type: text/plain; charset=us-ascii
----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec
Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/
Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA
------=_NextPart_000_012E_01C8C267.5E68B6C0--
Brought to you by http://www.webappsec.org
Search this site
|