php - inline HTML javascript event intreprets escaped quote as a closing quote -


is inline html js events doesn't care escaped quotes?

$xss = addslashes("'><script>alert(/xss/.source)</script>"); echo "<a href='/deleteaction.php' onclick='javascript:if(!confirm(\"{$xss}\")) return false'>delete</a>";

produced html:

<a href='/deleteaction.php' onclick='javascript:if(!confirm("\'> <script>alert(/xss/.source)</script> ")) return false'>delete</a>

edit: executes script. thought produce string in confirm box:

'><script>alert(/xss/.source)</script>

but first single quote interpret closing quote onclick event. question why interpret closing quote eventhough has backslash before it?

this because browser's html parser runs before javascript parser.

in html \' not recognised single quote character, recognised literally backslash followed single quote.

the correct html single quote &#x27; (or &#039; in decimal).

to fix should use htmlentities addslashes.

e.g.

$xss = addslashes(htmlentities("'><script>alert(/xss/.source)</script>", ent_quotes));

this output:

<a href='/deleteaction.php' onclick='javascript:if(!confirm("&#039;&gt;&lt;script&gt;alert(/xss/.source)&lt;/script&gt;")) return false'>delete</a>

which correct encoding confirm shown as:

php xss

note applies html attributes can contain script, not content within <script> tags, because content not ran through html parser (the html parser looks final </script> until resume html processing).

note need addslashes in case string contains \ characters.

a less messy way of coding follow rule #3 of owasp xss (cross site scripting) prevention cheat sheet:

except alphanumeric characters, escape characters less 256 \xhh format prevent switching out of data value script context or attribute.

so rather encoding both slashes , html, javascript hex entity encode. knowledge php not offer out of box (although please correct me if i'm wrong).

this handles situation there attributes single quoted, double quoted or unquoted (as space converted \x20).


Comments

Post a Comment

Popular posts from this blog

c++ - Difference between pre and post decrement in recursive function argument -

i have following sample code used pre-decrement void function(int c) { if(c == 0) { return; } else { cout << "dp" << c << endl; function(--c); cout << c << endl; return; } } this function give output input 4 : dp3 dp2 dp1 dp0 0 1 2 3 but when use post decrement void function(int c) { if(c == 0) { return; } else { cout << "dp" << c << endl; function(c--); cout << c << endl; return; } } output goes in infinite loop dp4 can explain me in detail why happens ? this happens because function(c--) called same value of c , when finishes c decremented. recursively called, hence called same value no chance of return , hit stack overflow error. assume this, int x = 1, y = 0; y = x++ result y == 1 , x == 2. if y = ++x , bot x , y 2.
Read more

php - Nothing but 'run(); ' when browsing to my local project, how do I fix this? -

i added new project. made mistake in projectname.conf file in sites-available apache2, led me reinstalling apache2. after reinstalling , re-enabling projects on every page of every project .. <body> run(); </body> .. i've run composer update, restarted service, restarted pc, checked config files, tried disabling new project. there nothing in error log, , access.log: 127.0.0.1 - - [15/may/2015:01:40:47 +0200] "get / http/1.1" 304 181 "-" "mozilla/5.0 (x11; ubuntu; linux x86_64; rv:38.0) gecko/20100101 firefox/38.0" maybe i'm forgetting apache2 reinstall? don't think did different last time installed it. looks haven't setup php correctly. take @ this great guide , maybe you're forgetting link php config apache2.
Read more

php - How can I echo out this array? -

i don't know how go grabbing data in variable , put foreach loop. class tree{ private $info = array( array('name'=>'jim','state'=>'nu','company'=>'nu','phone'=>array('cell'=>'5615111111','office'=>'5611111111'),'email'=>array('primary'=>'exs@example.com','ex@there.com')), array('name'=>'joe smith','city'=>'phoenix','phone'=>'4805551111','email'=>'jsmith@some_email.com'), array('name'=>'john doe','city'=>'chandler','company'=>'doe co.','email'=>array('jdoe@gmail.com','personal'=>'email@email.com'),'phone'=>'6025550002') ); } if you're inside of class, can access private variable using $this->variablename . example, i
Read more