php - inline HTML javascript event intreprets escaped quote as a closing quote -
is inline html js events doesn't care escaped quotes?
$xss = addslashes("'><script>alert(/xss/.source)</script>"); echo "<a href='/deleteaction.php' onclick='javascript:if(!confirm(\"{$xss}\")) return false'>delete</a>";
produced html:
<a href='/deleteaction.php' onclick='javascript:if(!confirm("\'> <script>alert(/xss/.source)</script> ")) return false'>delete</a>
edit: executes script. thought produce string in confirm box:
'><script>alert(/xss/.source)</script>
but first single quote interpret closing quote onclick event. question why interpret closing quote eventhough has backslash before it?
this because browser's html parser runs before javascript parser.
in html \'
not recognised single quote character, recognised literally backslash followed single quote.
the correct html single quote '
(or '
in decimal).
to fix should use htmlentities
addslashes
.
e.g.
$xss = addslashes(htmlentities("'><script>alert(/xss/.source)</script>", ent_quotes));
this output:
<a href='/deleteaction.php' onclick='javascript:if(!confirm("'><script>alert(/xss/.source)</script>")) return false'>delete</a>
which correct encoding confirm shown as:
note applies html attributes can contain script, not content within <script>
tags, because content not ran through html parser (the html parser looks final </script>
until resume html processing).
note need addslashes
in case string contains \
characters.
a less messy way of coding follow rule #3 of owasp xss (cross site scripting) prevention cheat sheet:
except alphanumeric characters, escape characters less 256 \xhh format prevent switching out of data value script context or attribute.
so rather encoding both slashes , html, javascript hex entity encode. knowledge php not offer out of box (although please correct me if i'm wrong).
this handles situation there attributes single quoted, double quoted or unquoted (as space converted \x20
).
Comments
Post a Comment