New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Output control does not escape script element #3115

Closed
ebruchez opened this Issue Feb 9, 2017 · 3 comments

Comments

Projects
1 participant
@ebruchez
Collaborator

ebruchez commented Feb 9, 2017

See SO question.

This should only happen when using mediatype="text/html, and even so we might want to filter it. So why is the markup not escaped?

Luckily:

  • this only happens if a form author explicitly outputs the value of a URL parameter
  • both Chrome and Safari block the page in such cases

@ebruchez ebruchez added this to the 2017.1 milestone Feb 9, 2017

@ebruchez ebruchez self-assigned this Feb 9, 2017

@ebruchez

This comment has been minimized.

Show comment
Hide comment
@ebruchez

ebruchez Feb 10, 2017

Collaborator

<xf:output> seems to behave fine in XFormsOutputHandler.

Collaborator

ebruchez commented Feb 10, 2017

<xf:output> seems to behave fine in XFormsOutputHandler.

@ebruchez

This comment has been minimized.

Show comment
Hide comment
@ebruchez

ebruchez Feb 10, 2017

Collaborator

In the epilogue, things are escaped:

<xh:span id="xf-4" class="xforms-control xforms-output xforms-mediatype-text-plain xforms-mediatype-text">
    <xh:span id="xf-4≡≡c" class="xforms-output-output">bla&#0;rje1w&lt;script&gt;alert(1)&lt;/script&gt;</xh:span>
</xh:span>

However in the source sent to the browser, they are not:

<span id="xf-4" class="xforms-control xforms-output xforms-mediatype-text-plain xforms-mediatype-text">
    <span id="xf-4≡≡c" class="xforms-output-output">blarje1w<script>alert(1)</script></span>
</span>
Collaborator

ebruchez commented Feb 10, 2017

In the epilogue, things are escaped:

<xh:span id="xf-4" class="xforms-control xforms-output xforms-mediatype-text-plain xforms-mediatype-text">
    <xh:span id="xf-4≡≡c" class="xforms-output-output">bla&#0;rje1w&lt;script&gt;alert(1)&lt;/script&gt;</xh:span>
</xh:span>

However in the source sent to the browser, they are not:

<span id="xf-4" class="xforms-control xforms-output xforms-mediatype-text-plain xforms-mediatype-text">
    <span id="xf-4≡≡c" class="xforms-output-output">blarje1w<script>alert(1)</script></span>
</span>
@ebruchez

This comment has been minimized.

Show comment
Hide comment
@ebruchez

ebruchez Feb 10, 2017

Collaborator

Found out that this is due to the Saxon serializer using the character #00 to enable/disable output escaping. Thoughts:

  • I don't think we ever need to disable output escaping, so we could just turn that off completely in HTML1252Emitter and XML1252Emitter.
  • Should we take further steps to remove #00 in some places? This character is not disallowed in Java strings, but it is in XML character data in principle.
    • If so, where would we do this?
    • Should we remove it from some functions like xxf:get-request-parameter()? If so, what about other characters disallowed by XML?
    • Should we filter/error with setvalue and controls writing data?
Collaborator

ebruchez commented Feb 10, 2017

Found out that this is due to the Saxon serializer using the character #00 to enable/disable output escaping. Thoughts:

  • I don't think we ever need to disable output escaping, so we could just turn that off completely in HTML1252Emitter and XML1252Emitter.
  • Should we take further steps to remove #00 in some places? This character is not disallowed in Java strings, but it is in XML character data in principle.
    • If so, where would we do this?
    • Should we remove it from some functions like xxf:get-request-parameter()? If so, what about other characters disallowed by XML?
    • Should we filter/error with setvalue and controls writing data?
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment