Comments (7)
ilatypov
commented on May 29, 2024
1
Sorry for the spam above, but I agree with the original post by Nathan and with the analysis by @pthorson.
The encoding of raw - as raw \- results in an invalid JSON (but a valid ECMAScript) string literal.
string = quotation-mark *char quotation-mark
char = unescaped /
escape (
%x22 / ; " quotation mark U+0022
%x5C / ; \ reverse solidus U+005C
%x2F / ; / solidus U+002F
%x62 / ; b backspace U+0008
%x66 / ; f form feed U+000C
%x6E / ; n line feed U+000A
%x72 / ; r carriage return U+000D
%x74 / ; t tab U+0009
%x75 4HEXDIG ) ; uXXXX U+XXXX
escape = %x5C ; \
quotation-mark = %x22 ; "
unescaped = %x20-21 / %x23-2E / %x30-5B / %x5D-10FFFF
https://www.rfc-editor.org/errata_search.php?rfc=8259
CharacterEscapeSequence ::
SingleEscapeCharacter
NonEscapeCharacter
SingleEscapeCharacter :: one of
' " \ b f n r t v
NonEscapeCharacter ::
SourceCharacter but not one of EscapeCharacter or LineTerminator
https://www.ecma-international.org/ecma-262/6.0/#sec-literals-string-literals
https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/String#Escape_notation
https://www.json.org/
There is little need to have the "mode" parameter in the Javascript string encoder. It brings unnecessary usage complexity as encoding for the worst case would still be parseable in the easiest use case as well.
In addition, the existing code missed extra attack surfaces,
This suggests to encode with raw \uHHHH the following single characters, regardless of "mode" (and add another method signature without the parameter, deprecating the current method). This will add to the existing encodings of the double quote raw " as raw \" et c. but remove the ECMA compatible non-JSON encoding raw \-. The encoding of the forward slash raw / as raw \/ appears compatible with both ECMA and JSON. To sum up, these characters need replacing on output.
- the double quote
raw "withraw \"against escaping a javascript string surrounded by double quotes, - the single quote
raw 'withraw \u0027against escaping a javascript string surrounded by single quotes, - the forward slash
raw /withraw \/against constructing a closing script tag in a javascript string, - the opening angle bracket
raw <against closing the script tag or opening a comment tag, - the closing angle bracket
raw >against closing a possible CDATA wrapper around the javascript text embedded in XHTML (and HTML?), U+2028andU+2029allowed in JSON but not in Javascript against disrupting the javascript engine.- the ampersand
raw &against the mandatory HTML entity decoding in XHTML documents embedding scripts without a CDATA wrapper. (HTML documents do not apply the entity decoding to embedded scripts but the suggested string literal encoding does not change the string's value).
I understand that these layers look secondary to JSON or Javascript string literal encoding per se, but leaving the task of protecting the string literal against these layers would require re-implementing the encoder for each use case. Attempting to apply additional encoding with simple .replace() chaining will suffer from destroying the context of the backslash-protected characters. Luckily, the suggested "preliminary optimization" by using the raw \uHHHH encoding is both acceptable by the lower level interpreter (javascript engine) and defending against additional interpreters on top of it.
from owasp-java-encoder.
pthorson
commented on May 29, 2024
Perhaps the application of this rule?
if (mode == Mode.BLOCK || mode == Mode.HTML) {
// in <script> blocks, we need to prevent the browser from seeing
// "</anything>" and "<!--". To do so we escape "/" as "\/" and
// escape "-" as "\-".
from owasp-java-encoder.
ndp-opendap
commented on May 29, 2024
I think so.
from owasp-java-encoder.
jmanico
commented on May 29, 2024
Thanks for the bug. This function should not be used to escape JSON. If you want to embed JSON on a page I would serialize it. https://github.com/yahoo/serialize-javascript
This function is to escape embedded JavaScript strings per the examples laid on in our docs.
Is this at all helpful?
Aloha,
--
Jim Manico
@manicode
… On Jun 6, 2019, at 4:33 PM, Nathan Potter ***@***.***> wrote:
I think so.
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub, or mute the thread.
from owasp-java-encoder.
jmanico
commented on May 29, 2024
This seems like a good argument. Would you care to give us a PR? I'll also as Jeff to take a look at this.
from owasp-java-encoder.
jmanico
commented on May 29, 2024
PS: The earlier spam was accidental and I deleted it. I'm back to updating this project.
from owasp-java-encoder.
jmanico
commented on May 29, 2024
After speaking to Jeff on this, we have the following response and wish to close the issue and open a new feature request.
Summary: encodeForJavaScript is not meant to be safe for JSON, but we do plan to add a new JSON encode function, in the meantime consider https://github.com/yahoo/serialize-javascript type logic to safely embed JSON on a page.
from owasp-java-encoder.
Related Issues (20)
- Configuring exclusions for `Encode.forHtml()` HOT 5
- Rename main branch HOT 1
- Create encode for URL function HOT 9
- Support for input canonicalization HOT 6
- JavaScriptEncoder escapes "-" what makes dates escaped HOT 6
- Create an encodeForEmail() function HOT 4
- Possible to inject expression property resulting XSS attack in IE browser by using certain document modes HOT 2
- Please sign the jar HOT 12
- Documentation Frames Broken by Content-Security-Policy HOT 1
- Process for reporting possible security vulnerabilties
- Correct javadoc for Encode class HOT 1
- Javadoc link is broken HOT 4
- Alternative method for deprecated forUri() method HOT 1
- Jsp tags not working together with EL expressions HOT 3
- log4j 1.2.17 dependency HOT 6
- Compile error HOT 6
- Any plans for a version using Jakarta Servlet 5.0? HOT 4
- Automatic module name not included in manifest
- I couldn't sanitize the vector "<%<!--'%><script>alert(1);</script -->", using the methods available in "encoder-1.2.3.jar". HOT 3
- Combining OWASP Sanitizer and Encoder HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from owasp-java-encoder.