[WEB SECURITY] Question about escaping strings in javascript
Evert | Collab
evert at rooftopsolutions.nl
Sat May 31 17:38:57 EDT 2008
On 30-May-08, at 6:10 PM, Eric Rachner wrote:
> Hi Evert,
>
> The Right Thing to do is to use a white-listing approach and encode
> *everything* except alphanumerics and a very limited set of characters
> considered safe.
Thanks Eric,
You convinced me to go with this whitelest vs. my proposed blacklist
approach for our own purposes. I can see the point of a much more
defensive strategy for these type of things.
However, I'm still (for research sake) interested in the
vulnerabilities out there today, and how one would go about writing
XSS for some of these lesser known special characters, such as the
'paragraph separator' and had trouble finding more information about
this on the web..
So considering my previous questions, with that in mind, do you have
an idea how I could go about learning more about the current state of
affairs?
Evert
>
> -----Original Message-----
> From: Evert | Collab [mailto:evert at collab.nl]
> Subject: [WEB SECURITY] Question about escaping strings in javascript
>
> Dear list,
>
> Looking at : http://code.google.com/p/doctype/wiki/ArticleXSSInJavaScript
> , they present a list of characters that should always be escaped in
> Javascript. This brings me to a few questions, which I hope some of
> the smart people on this list can answer.
>
> 1. Does this PHP function do its job for escaping javascript:
>
> static function javascript($string) {
>
> $replace = array(
> "\t" => '\t',
> "\n" => '\n',
> "\r" => '\r',
> "\x85" => '\u0085',
> "\x20\x28" => '\u2028',
> "\x20\x29" => '\u2029',
> "'" => '\x27',
> '"' => '\x22',
> '\\' => '\\\\',
> '&' => '\x26',
> '<' => '\x3c',
> '>' => '\x3e',
> '=' => '\x3d',
> );
> return
> str_replace(array_keys($replace),array_values($replace),$string);
>
> }
>
>
> 2. Does the latter function only work with the output encoding is
> UTF-8, or would it still be applicable to ISO-8859-1. I realize this
> probably isn't usable for UTF-7.
> 3. PHP's built-in function addslashes() only escapes the single quote,
> double quote and null character. Is this not sufficient?
> 4. Assuming question #3 is true, how can \u2028 (line separator),
> \u2029 (paragraph separator) and \u0085 (next line) be used in an
> exploit?
>
> Thanks a lot for your answers, I'm intending to write a article on
> this subject on www.rooftopsolutions.nl, but I want to make sure I got
> my facts straight.
>
> Evert
>
> ----------------------------------------------------------------------------
> Join us on IRC: irc.freenode.net #webappsec
>
> Have a question? Search The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/
>
> Subscribe via RSS:
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
> Join WASC on LinkedIn
> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
> <
> winmail
> .dat
> >
> ----------------------------------------------------------------------------
> Join us on IRC: irc.freenode.net #webappsec
>
> Have a question? Search The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/
>
> Subscribe via RSS:
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
> Join WASC on LinkedIn
> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec
Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/
Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA
More information about the websecurity
mailing list