[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [WEB SECURITY] Question about escaping strings in javascript

From: Enric Junqué de Fortuny <ciri@xxxxxxxxxx>
Subject: Re: [WEB SECURITY] Question about escaping strings in javascript
Date: Sun, 01 Jun 2008 03:19:27 +0200

Hey Evert,

There's a great compilation of input vectors at : http://ha.ckers.org/xss.html. Eg. if content is parsed into an img tag, the following might be a possible IV:

<IMG SRC='javascript:alert(document.cookie);'>

- Enric

Evert | Collab wrote:

On 30-May-08, at 6:10 PM, Eric Rachner wrote:
Hi Evert,
The Right Thing to do is to use a white-listing approach and encode
*everything* except alphanumerics and a very limited set of characters
considered safe.
Thanks Eric,
You convinced me to go with this whitelest vs. my proposed blacklist approach for our own purposes. I can see the point of a much more defensive strategy for these type of things.

However, I'm still (for research sake) interested in the vulnerabilities out there today, and how one would go about writing XSS for some of these lesser known special characters, such as the 'paragraph separator' and had trouble finding more information about this on the web..

So considering my previous questions, with that in mind, do you have an idea how I could go about learning more about the current state of affairs?
Evert
-----Original Message-----
From: Evert | Collab [mailto:evert@xxxxxxxxx]
Subject: [WEB SECURITY] Question about escaping strings in javascript
Dear list,
Looking at : http://code.google.com/p/doctype/wiki/ArticleXSSInJavaScript , they present a list of characters that should always be escaped in Javascript. This brings me to a few questions, which I hope some of the smart people on this list can answer.
1. Does this PHP function do its job for escaping javascript:
      static function javascript($string) {
           $replace = array(
               "\t"       => '\t',
               "\n"       => '\n',
               "\r"       => '\r',
               "\x85"     => '\u0085',
               "\x20\x28" => '\u2028',
               "\x20\x29" => '\u2029',
               "'"        => '\x27',
               '"'        => '\x22',
               '\\'       => '\\\\',
               '&'        => '\x26',
               '<'        => '\x3c',
               '>'        => '\x3e',
               '='        => '\x3d',
           );
           return
str_replace(array_keys($replace),array_values($replace),$string);
       }
2. Does the latter function only work with the output encoding is
UTF-8, or would it still be applicable to ISO-8859-1. I realize this
probably isn't usable for UTF-7.
3. PHP's built-in function addslashes() only escapes the single quote,
double quote and null character. Is this not sufficient?
4. Assuming question #3 is true, how can \u2028  (line separator),
\u2029 (paragraph separator) and \u0085 (next line) be used in an
exploit?
Thanks a lot for your answers, I'm intending to write a article on
this subject on www.rooftopsolutions.nl, but I want to make sure I got
my facts straight.
Evert
----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec
Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/
Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA
<winmail.dat>----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec
Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/
Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA
----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec
Have a question? Search The Web Security Mailing List Archives:http://www.webappsec.org/lists/websecurity/
Subscribe via RSS:http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: http://www.webappsec.org/lists/websecurity/

Subscribe via RSS: http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA

References:
- [WEB SECURITY] Question about escaping strings in javascript
  - From: Evert | Collab
- RE: [WEB SECURITY] Question about escaping strings in javascript
  - From: Eric Rachner
- Re: [WEB SECURITY] Question about escaping strings in javascript
  - From: Evert | Collab

Prev by Date: Re: [WEB SECURITY] Question about escaping strings in javascript
Previous by thread: Re: [WEB SECURITY] Question about escaping strings in javascript
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site