Add new filter/transform, fix issue #12 exploitable js4_dq_fp

yahoo · May 1, 2015 · d1435ea · d1435ea
1 parent 12233eb
commit d1435ea
Show file tree

Hide file tree

Showing 4 changed files with 25 additions and 1 deletion.
diff --git a/custom.go b/custom.go
@@ -49,7 +49,7 @@ func FilterMap() (mp map[string][]filter) {
 	mp["/xss/reflect/js3_notags_fp"] = []filter{TagsOff, QuotesOff}
 	mp["/xss/reflect/js3_search_fp"] = []filter{TagsOff, QuotesOff}
 	mp["/xss/reflect/js4_dq"] = []filter{TagsOff, SingleQuotesOff}
-	mp["/xss/reflect/js4_dq_fp"] = []filter{TagsOff, DoubleQuotesBackslashEscape, BackslashEscape}
+	mp["/xss/reflect/js4_dq_fp"] = []filter{TagsOff, BackslashEscapeDoubleQuotesAndBackslash}
 	mp["/xss/reflect/js6_bug7208690"] = []filter{TagsOff, DoubleQuotesOff}
 	mp["/xss/reflect/js6_sq"] = []filter{TagsOff, DoubleQuotesOff}
 	mp["/xss/reflect/js6_sq_combo1"] = []filter{TagsOff, DoubleQuotesOff}

diff --git a/filters.go b/filters.go
@@ -10,6 +10,7 @@ type filter int16
 const (
 	Invalid         filter = iota
 	BackslashEscape        // escape \ with a \
+	BackslashEscapeDoubleQuotesAndBackslash
 	DoubleQuotesBackslashEscape
 	DoubleQuotesCook
 	DoubleQuotesOff

diff --git a/transform.go b/transform.go
@@ -83,6 +83,7 @@ func init() {
 	trMap = transformerMap(make(map[filter]Transformer))
 	trMap[BackslashEscape] = NewStringsReplacer(`\`, `\\`)
 	trMap[DoubleQuotesBackslashEscape] = NewStringsReplacer(`"`, `\"`)
+	trMap[BackslashEscapeDoubleQuotesAndBackslash] = ReplaceFunction(backslashDoublequotes)
 	trMap[DoubleQuotesCook] = NewStringsReplacer(`"`, `&quot;`)
 	trMap[DoubleQuotesOff] = NewStringsReplacer(`"`, "")
 	trMap[GreaterThanCook] = NewStringsReplacer(`>`, `&gt;`)
@@ -269,3 +270,17 @@ func ReplaceTextareaSafe(src string) (out string) {
 	// fmt.Printf("TextareaSafe Out: %s\n", out)
 	return out
 }
+
+func backslashDoublequotes(in string) (out string) {
+	for _, r := range in {
+		switch r {
+		case '"':
+			out += `\"`
+		case '\\':
+			out += `\\`
+		default:
+			out += string(r)
+		}
+	}
+	return
+}
diff --git a/transform_test.go b/transform_test.go
@@ -124,6 +124,14 @@ func TestQuotesBackslashQuoteFullEscape(t *testing.T) {
 	}
 }
 
+func TestBackslashDoublequotesEscape(t *testing.T) {
+	t.Parallel()
+	s := `str with "quotes" and \ backslash and both \"`
+	want := `str with \"quotes\" and \\ backslash and both \\\"`
+	if res := Transform(s, BackslashEscapeDoubleQuotesAndBackslash); res != want {
+		t.Errorf("Error in transform: want %s got %s; original: %s\n", want, res, s)
+	}
+}
 func TestScriptOff(t *testing.T) {
 	t.Parallel()
 	s := `str<script>alert(123)</script>`