-
-
Notifications
You must be signed in to change notification settings - Fork 234
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Html: workaround for innerHTML mXSS vulnerability [Closes #1496]
IE8 for code `<div attr="``foo=bar">` produces invalid innerHTML `<div attr=``foo=bar>`. Adding a space at the end of the attribute forces IE to put quotes around the attribute. More info: http://www.nds.rub.de/research/publications/mXSS-Attacks/ http://www.slideshare.net/x00mario/the-innerhtml-apocalypse
- Loading branch information
Showing
3 changed files
with
11 additions
and
3 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
18370a2
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice BC break in 2.1.
18370a2
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Suggest a better solution or shut...
18370a2
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@Majkl578 If safe web behaves like that it is not BC break but security fix. HTMLPurifier does exactly the same. This really is workflow BC break as xkcd described it.
18370a2
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@mishak87: Arrogant reply as usual for you. :) The reason why this IS a BC break is this, which may really break existing code. Imagine e.g. some client-side templating system using data attributes for passing around field names.
18370a2
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@Majkl578 We all understand that you mean appending whitespace at the end of attribute value is not BC.
But to real case scenarios. Breaks are in application that:
List can go on...
@Majkl578 Please show at least one example that is not flawed by design and BC break occurs.
All bullets above are the reason I used hyperbole with xkcd comix. If you think that that my reply was arrogant please consult Websters dictionary. Calling thing as I see it does not make me arrogant but one with opinion (and surprisingly reason behind it).
18370a2
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Btw flaw by design in the application is not a valid argument for BC break. It is more likely an excuse.
18370a2
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Stop. 🔚
18370a2
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@Majkl578 do you have a better solution?
18370a2
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Another solution is to use entity ` which is unknown for IE < 10, but it changes content of affected attributes in much harder way.