window.myvar = '<%= j "\u2028\\\r\n\"'<>&" %>';
<% end %>
this produces the following output:
this happens because the content of a script tag is not interpreted as html except for certain sequences which look like a closing </script> tag to the browser. but rails escapes &,>,<," which means the values end up getting escaped too many times.
I think this is quite unexpected behaviour but may be a feature because it stops xss attacks caused by the user doing something like:
my_element.innerHtml = window.myvar;
<% end %>
which produces the following output (chrome JSON.stringify doesn't escape unicode new line):
Maybe you should use json_escape?
thanks! that is very close to what i'm looking for.
unfortunately, it doesn't escape \u2028 or \r or \n so i get a script error
output it produces:
window.myvar = "
1.9.3p0 :004 > ERB::Util.json_escape "\r\n"
The representation of strings is similar to conventions used in the C
family of programming languages. A string begins and ends with
quotation marks. All Unicode characters may be placed within the
quotation marks except for the characters that must be escaped:
quotation mark, reverse solidus, and the control characters (U+0000
So maybe we should fix json escape to not double escape?
then it is exploitable. i don't know of any other way to exploit it.
see section 7.8.4 for string literals and section 7.3 for line terminators:
i'm not sure what other characters we should be escaping. the standard says they should all be safe except line terminators and reverse solidus () but maybe control characters in 0000->0001F range might do funny things in some browsers.
ah. i think i understand the json_escape method now. you can do:
and it works correctly. a bit closer anyway :) it seems to remove the " character and doesn't properly handle \u2029
Is this still an issue?
We should certainly fix json_escape rather than making a new method that also does escaping.
@benmmurphy are you interested in doing that? if not, we should close this, and let someone else take a crack at it.
Since I haven't heard from you in 9 months, @benmmurphy, I'm giving this a close. If you're willing to fix json_escape, please submit a new pull request. Thanks.