[WEB SECURITY] Question about escaping strings in javascript

Enric Junqué de Fortuny ciri at virtuax.be
Sat May 31 21:19:27 EDT 2008


Hey Evert,

There's a great compilation of input vectors at : 
http://ha.ckers.org/xss.html. Eg. if content is parsed into an img tag, 
the following might be a possible IV:

<IMG SRC='javascript:alert(document.cookie);'>

- Enric

Evert | Collab wrote:
> On 30-May-08, at 6:10 PM, Eric Rachner wrote:
>
>> Hi Evert,
>>
>> The Right Thing to do is to use a white-listing approach and encode
>> *everything* except alphanumerics and a very limited set of characters
>> considered safe.
>
>
> Thanks Eric,
>
> You convinced me to go with this whitelest vs. my proposed blacklist 
> approach for our own purposes. I can see the point of a much more 
> defensive strategy for these type of things.
>
> However, I'm still (for research sake) interested in the 
> vulnerabilities out there today, and how one would go about writing 
> XSS for some of these lesser known special characters, such as the 
> 'paragraph separator' and had trouble finding more information about 
> this on the web..
>
> So considering my previous questions, with that in mind, do you have 
> an idea how I could go about learning more about the current state of 
> affairs?
>
> Evert
>
>
>>
>> -----Original Message-----
>> From: Evert | Collab [mailto:evert at collab.nl]
>> Subject: [WEB SECURITY] Question about escaping strings in javascript
>>
>> Dear list,
>>
>> Looking at : 
>> http://code.google.com/p/doctype/wiki/ArticleXSSInJavaScript
>> , they present a list of characters that should always be escaped in
>> Javascript. This brings me to a few questions, which I hope some of
>> the smart people on this list can answer.
>>
>> 1. Does this PHP function do its job for escaping javascript:
>>
>>       static function javascript($string) {
>>
>>            $replace = array(
>>                "\t"       => '\t',
>>                "\n"       => '\n',
>>                "\r"       => '\r',
>>                "\x85"     => '\u0085',
>>                "\x20\x28" => '\u2028',
>>                "\x20\x29" => '\u2029',
>>                "'"        => '\x27',
>>                '"'        => '\x22',
>>                '\\'       => '\\\\',
>>                '&'        => '\x26',
>>                '<'        => '\x3c',
>>                '>'        => '\x3e',
>>                '='        => '\x3d',
>>            );
>>            return
>> str_replace(array_keys($replace),array_values($replace),$string);
>>
>>        }
>>
>>
>> 2. Does the latter function only work with the output encoding is
>> UTF-8, or would it still be applicable to ISO-8859-1. I realize this
>> probably isn't usable for UTF-7.
>> 3. PHP's built-in function addslashes() only escapes the single quote,
>> double quote and null character. Is this not sufficient?
>> 4. Assuming question #3 is true, how can \u2028  (line separator),
>> \u2029 (paragraph separator) and \u0085 (next line) be used in an
>> exploit?
>>
>> Thanks a lot for your answers, I'm intending to write a article on
>> this subject on www.rooftopsolutions.nl, but I want to make sure I got
>> my facts straight.
>>
>> Evert
>>
>> ---------------------------------------------------------------------------- 
>>
>> Join us on IRC: irc.freenode.net #webappsec
>>
>> Have a question? Search The Web Security Mailing List Archives:
>> http://www.webappsec.org/lists/websecurity/
>>
>> Subscribe via RSS:
>> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>>
>> Join WASC on LinkedIn
>> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>>
>> <winmail.dat>---------------------------------------------------------------------------- 
>>
>> Join us on IRC: irc.freenode.net #webappsec
>>
>> Have a question? Search The Web Security Mailing List Archives:
>> http://www.webappsec.org/lists/websecurity/
>>
>> Subscribe via RSS:
>> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>>
>> Join WASC on LinkedIn
>> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
>
> ---------------------------------------------------------------------------- 
>
> Join us on IRC: irc.freenode.net #webappsec
>
> Have a question? Search The Web Security Mailing List 
> Archives:http://www.webappsec.org/lists/websecurity/
>
> Subscribe via RSS:http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
> Join WASC on LinkedIn
> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
>


----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA



More information about the websecurity mailing list