General
I am not sure whether it is safe to display some text entered by an user in this way:
An argument from a URL is decoded by decodeURIComponent(). Afterwards, line breaks are replaced using text.replace(/\n/g, '<br/>').
The resulting string is displayed in an OpenLayers marker.
In this way, HTML from the user is embedded in the webpage.
Concrete example
allows for the creation of permalinks (Top menu > Tools > Permalinks)
The site decodes the URL as shown above and displays a marker on the page.
Example:
/?zoom=15&mlat=53.62053&mlon=11.46929&mtext=%3Cscript%3E%0A%20alert(%27Hello%20World!%27)%3B%0A%3C%2Fscript%3E&layers=BTFFFFFFFFF0FFFFFFFF
Contains:
<script>
alert('Hello World!');
</script>
The code is embedded in the page, but is not executed.
Can this way to display the text be exploited?
You can find the code of the site here:
The code for decoding is in index.php on line 138:
.php#L137
If you have a better solution, a pull request is wele!
General
I am not sure whether it is safe to display some text entered by an user in this way:
An argument from a URL is decoded by decodeURIComponent(). Afterwards, line breaks are replaced using text.replace(/\n/g, '<br/>').
The resulting string is displayed in an OpenLayers marker.
In this way, HTML from the user is embedded in the webpage.
Concrete example
http://map.openseamap allows for the creation of permalinks (Top menu > Tools > Permalinks)
The site decodes the URL as shown above and displays a marker on the page.
Example:
http://map.openseamap/map/?zoom=15&mlat=53.62053&mlon=11.46929&mtext=%3Cscript%3E%0A%20alert(%27Hello%20World!%27)%3B%0A%3C%2Fscript%3E&layers=BTFFFFFFFFF0FFFFFFFF
Contains:
<script>
alert('Hello World!');
</script>
The code is embedded in the page, but is not executed.
Can this way to display the text be exploited?
You can find the code of the site here:
http://github./OpenSeaMap/online_chart
The code for decoding is in index.php on line 138:
http://github./OpenSeaMap/online_chart/blob/master/index.php#L137
If you have a better solution, a pull request is wele!
Share Improve this question edited Oct 18, 2015 at 19:44 Gray 7,1502 gold badges33 silver badges53 bronze badges asked Oct 17, 2015 at 8:56 aAXEeaAXEe 3732 silver badges9 bronze badges1 Answer
Reset to default 6Is it safe?
No.
Example:
I used a payload of <IMG SRC=/ onerror="alert(document.domain)"></img>
Here's the permalink (note that this will cause several alerts to appear on the page, nothing malicious, but a little annoying): http://map.openseamap/map/?zoom=17&mlat=53.62429&mlon=11.47198&mtext=%3CIMG%20SRC%3D%2F%20onerror%3D%22alert(document.domain)%22%3E%3C%2Fimg%3E&layers=BTFFFFFFFFF0FFFFFFFF
Your implementation is actually a little extra dangerous since it obfuscates the payload enough for built-in browser tools like Chrome's XSS auditor to not detect it. Not that leaving this to the browser is acceptable, but this makes for a very universal XSS vulnerability.
You still need to escape 'dangerous' characters like <, >, ', ", and &. In my opinion, HTML from this parameter should not render at all, as the intention appears to be a plaintext ment. The context we need to escape for here appears to be pretty much a standard HTML context, so the aforementioned characters should be sufficient to prevent injection (at least in that spot, I didn't check everywhere!). That means < bees <, > bees >, ' bees ', " bees ", and & bees &.
I'm not saying you should do the conversion from scratch, just giving a rough idea of what needs to happen. Here's a great resource that every web developer should read at least a few times: https://www.owasp/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
发布者:admin,转转请注明出处:http://www.yc00.com/questions/1744905473a4600227.html
评论列表(0条)