Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

XSS and numeric code character entities #77

Closed
lemonad opened this Issue May 2, 2012 · 4 comments

Comments

Projects
None yet
3 participants

lemonad commented May 2, 2012

I'm applying xss sanitization to user input and I'm having problems with numeric entities:

> sanitize("Don"t").xss();
'Don"t'
> sanitize("Don't").xss();
'Don&#;39t'

Notice the second example producing an incorrect entity.

Contributor

boutell commented May 15, 2012

I just banged into this one as well.

Contributor

boutell commented May 15, 2012

The problem is in this line:

//Validate UTF16 two byte encoding (x00) - just as above, adds a semicolon if missing.
str = str.replace(/(&\#x?)([0-9A-F]+);?/i, '$1;$2');
Contributor

boutell commented May 15, 2012

Looks very cut and dried: the semicolon is just in the wrong place in the replacement.

Move it to the end and things work better. Look at the regular expression and notice that the semicolon it's looking for (and supplying if absent) is at the end, after both parenthesized clauses. So it's clear that it doesn't go between $1 and $2, but rather after both of them.

//Validate UTF16 two byte encoding (x00) - just as above, adds a semicolon if missing.
str = str.replace(/(&\#x?)([0-9A-F]+);?/i, '$1$2;');
Owner

chriso commented May 17, 2012

Fixed in #79

@chriso chriso closed this May 17, 2012

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment