Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Adding a few more badcharacters #1083

Closed
wants to merge 2 commits into from
Closed

Adding a few more badcharacters #1083

wants to merge 2 commits into from

Conversation

mrbrutti
Copy link

It would be interesting to contemplate adding even more characters.

@mrbrutti
Updating escaping to support better escaping
04d2df8 
- Adding these special characters to support better escaping. Testing adding also more characters that could result on XSS, such as ";", "(" and ")" . Currently this library is vulnerable to attacks such as <a href={{foo}}/> where foo is "test onload=alert(1)" resulting on the string <a href=test onload=alert(1)/>
@mrbrutti
Update utils.js
7feca92
@kpdecker
Copy link
Collaborator

This method is intended for escaping HTML content only, not javascript. Could you show me an example of what you are using this for that you'd like this change?

@mrbrutti
Copy link
Author

Well, I was adding a few more cases to add common special characters that most libraries include. With that said, I found this when I was testing this edge case <a href={{foo}}/> when { 'foo' : 'test.com onload=alert(1)'} which will be translated as <a href=test.com onload=alert(1)/> which will end on a XSS vulnerability.

@kpdecker
Copy link
Collaborator

Ping me at kpdecker at gmail with the repo case.
On Tue, Aug 25, 2015 at 3:39 PM Matias P. Brutti notifications@github.com
wrote:

Well, I was adding a few more cases to add common special characters that
most libraries include. With that said, I found this when I was testing
this edge case when { 'foo' : 'test.com onload=alert(1)'} which will be
translated as which will end on a XSS vulnerability. http://test.com


Reply to this email directly or view it on GitHub
#1083 (comment)
.

@kpdecker
Copy link
Collaborator

Sorry that was formatted oddly in my email. No need to ping. This isn't the right fix as you are escaping to a different language and thus creating invalid data. Escaping = would be sufficient to mitigate, no?

@mrbrutti
Copy link
Author

I was going to send another patch escaping ‘(‘ , ')’ and ‘=‘. The reason why I added the other special characters as well is because technically those should be escaped as well, but it could potentially break things if someone is trying to paste something on <p>{{text}}</p> which has \n. Although that will have to be a design decision from your library. 👍

With that said, technically this is more of a fault from developers not inserting the correct “ or ‘ to contain the value of the html Attribute, but it is such a common usage that I think you should try to fix it, by escaping a few more characters as you mentioned and I have recommended above.

@kpdecker kpdecker added this to the 4.0 milestone Aug 26, 2015
@kpdecker kpdecker closed this in 83b8e84 Sep 1, 2015
@kpdecker
Copy link
Collaborator

kpdecker commented Sep 1, 2015

Thanks for bringing this up. I went with the = escape as that seemed like the least amount of risk for users. In the compatibility notes I will also note that users should generally opt for quoted attributes whenever possible.

@kpdecker kpdecker mentioned this pull request Oct 4, 2015
Closed
CalebFenton added a commit to srcclr/open-core that referenced this pull request Nov 21, 2015
@CalebFenton
Backport potential xss fix
4a7b034 
handlebars-lang/handlebars.js#1083
@reedloden reedloden mentioned this pull request Dec 11, 2015
Closed
@solidgoldpig solidgoldpig mentioned this pull request Jan 9, 2016
Closed
@kevinoid kevinoid mentioned this pull request Feb 4, 2016
Closed
@ErisDS ErisDS mentioned this pull request Apr 21, 2016
Merged
@GavinJoyce GavinJoyce mentioned this pull request Sep 15, 2016
Closed
@jmbredal jmbredal mentioned this pull request May 2, 2017
Closed
@sechawk sechawk mentioned this pull request Dec 9, 2017
Closed
@nknapp nknapp mentioned this pull request Dec 21, 2018
Closed
@sam-github sam-github mentioned this pull request Mar 19, 2019
Closed
@infolock infolock mentioned this pull request Mar 19, 2019
Closed
This was referenced May 24, 2019
Open
Open
Closed
This was referenced Jun 4, 2019
Open
Closed
@mend-bolt-for-github mend-bolt-for-github bot mentioned this pull request Jun 14, 2019
Closed
@mend-for-github-com mend-for-github-com bot mentioned this pull request Jun 14, 2019
Closed
@mend-bolt-for-github mend-bolt-for-github bot mentioned this pull request Jun 20, 2019
Closed
This was referenced Jun 20, 2019
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
@mend-bolt-for-github mend-bolt-for-github bot mentioned this pull request Jun 30, 2019
Closed
This was referenced Jul 13, 2019
Open
Open
Open
Open
@mend-for-github-com mend-for-github-com bot mentioned this pull request Aug 26, 2019
Open
@mend-bolt-for-github mend-bolt-for-github bot mentioned this pull request Sep 24, 2019
Closed
@mend-for-github-com mend-for-github-com bot mentioned this pull request Dec 9, 2019
Closed
This was referenced Dec 18, 2019
Closed
Closed
Closed
@mend-for-github-com mend-for-github-com bot mentioned this pull request Jan 16, 2020
Closed
@mend-bolt-for-github mend-bolt-for-github bot mentioned this pull request Jan 28, 2020
Closed
@mend-bolt-for-github mend-bolt-for-github bot mentioned this pull request Feb 7, 2020
Closed
@mend-bolt-for-github mend-bolt-for-github bot mentioned this pull request Feb 15, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
4.0
Development

Successfully merging this pull request may close these issues.
2 participants
@mrbrutti @kpdecker