[WEB SECURITY] Question about escaping strings in javascript

Eric Rachner eric at rachner.us
Fri May 30 18:10:53 EDT 2008


Hi Evert,

The Right Thing to do is to use a white-listing approach and encode
*everything* except alphanumerics and a very limited set of characters
considered safe.

In the opposite approach, which you propose below, encodes only a limited
set of characters, and is bound to fail in some obscure case where some
random browser does the wrong thing, or upon the discovery of some novel
attack technique.

While working at Microsoft, Michael Eddington & I designed a library to do
this which was later altered slightly and released to the public as the
Microsoft Anti-Cross Site Scripting Library[1,2].

Mike subsequently re-implemented the same techniques in a new library called
ReForm[3], which has been adopted by OWASP.

Also, Justin Clarke has implemented the same design in his AntiXSS for Java
library[4].

By the way, Mike recently said a few words about AntiXSS/ReForm at the OWASP
AppSec Europe conference[5] in Belgium.  In particular, he emphasized that
the purpose of using such a conservative design was to be 
absolutely future-proof.  In the years since late 2004, when we first
implemented this design at Microsoft, there have been no XSS cases
discovered which would not have been fixed through correct use of this
library.  Furthermore, the one and only patch that we've had to apply to
date was to work around a bug in the Microsoft VBScript run-time.

- Eric

[1]
http://www.microsoft.com/downloads/info.aspx?na=22&p=1&SrcDisplayLang=en&Src
CategoryId=&SrcFamilyId=&u=%2fdownloads%2fdetails.aspx%3fFamilyID%3defb9c819
-53ff-4f82-bfaf-e11625130c25%26DisplayLang%3den

[2]	http://blogs.msdn.com/michael_howard/archive/2006/02/27/540137.aspx

[3]	http://www.owasp.org/index.php/Category:OWASP_Encoding_Project

[4]	http://www.gdssecurity.com/l/b/2007/12/29/antixss-for-java/

[5]	https://www.owasp.org/index.php/OWASP_AppSec_Europe_2008_-_Belgium

-----Original Message-----
From: Evert | Collab [mailto:evert at collab.nl] 
Sent: Friday, May 30, 2008 2:08 PM
To: websecurity at webappsec.org
Subject: [WEB SECURITY] Question about escaping strings in javascript

Dear list,

Looking at : http://code.google.com/p/doctype/wiki/ArticleXSSInJavaScript 
, they present a list of characters that should always be escaped in  
Javascript. This brings me to a few questions, which I hope some of  
the smart people on this list can answer.

1. Does this PHP function do its job for escaping javascript:

        static function javascript($string) {

             $replace = array(
                 "\t"       => '\t',
                 "\n"       => '\n',
                 "\r"       => '\r',
                 "\x85"     => '\u0085',
                 "\x20\x28" => '\u2028',
                 "\x20\x29" => '\u2029',
                 "'"        => '\x27',
                 '"'        => '\x22',
                 '\\'       => '\\\\',
                 '&'        => '\x26',
                 '<'        => '\x3c',
                 '>'        => '\x3e',
                 '='        => '\x3d',
             );
             return  
str_replace(array_keys($replace),array_values($replace),$string);

         }


2. Does the latter function only work with the output encoding is  
UTF-8, or would it still be applicable to ISO-8859-1. I realize this  
probably isn't usable for UTF-7.
3. PHP's built-in function addslashes() only escapes the single quote,  
double quote and null character. Is this not sufficient?
4. Assuming question #3 is true, how can \u2028  (line separator),  
\u2029 (paragraph separator) and \u0085 (next line) be used in an  
exploit?

Thanks a lot for your answers, I'm intending to write a article on  
this subject on www.rooftopsolutions.nl, but I want to make sure I got  
my facts straight.

Evert

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA

-------------- next part --------------
A non-text attachment was scrubbed...
Name: winmail.dat
Type: application/ms-tnef
Size: 4410 bytes
Desc: not available
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20080530/19ee52a3/attachment.dat>
-------------- next part --------------
----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA


More information about the websecurity mailing list