-
Notifications
You must be signed in to change notification settings - Fork 23
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Vulnerable to XSS attacks #16
Comments
CVE-2018-1000160 can be used to track this issue |
@cianmce I am curious. Which CNA assigned this CVE? |
@vdeturckheim Any CVE that is 7 digits the CNA will be DWF. You can also see the assigning CNA on CVE's web site as of earlier this year: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000160 Assigning CNADistributed Weakness Filing Project |
@attritionorg good catch thanks. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I found multiple XSS Attack vectors that aren't caught by the
isXss
function:protect/lib/rules/xss.js
Lines 4 to 13 in 60b0c91
tl;dr
Don't use regex's for sanitization of HTML but if you are, then at least strip out all tags with something like:
But with even this, I'd imagine a carefully constructed XSS vector could get around it
I'd advise:
e.g.
e.g.
As discussed in many posts e.g.
Regular expressions are not a valid approach when dealing with a more complicated language(especially when browsers support dirty HTML)
For example, here are 26 valid XSS attack vectors that are all reported as
false
Attack Vectors
Proof Of Concept
These have been tested on the current function, the updated function to test for any tags, being escaped and being set using the text attribute.
The results can be seen here: http://embed.plnkr.co/xHbhB29JWWyMUMeHsLrm
I'm sure there are many other edge cases I haven't thought of yet or that haven't been developed by browsers yet.
If you insist on using regex, here's a good list + just remove any tag
https://github.com/PHPIDS/PHPIDS/blob/master/lib/IDS/default_filter.json
The text was updated successfully, but these errors were encountered: