From: "Jan G.B." on 23 Apr 2010 08:21 Hi List, I just figured, that the Browsers on my system do interpret ' inside href or onclick attribute as a plain '. Imagine the user input is the following line: param2" foo';);alert(document.cookie);alert(' Which is being written by the script like that: <a href="javascript:void(0);" onclick="test(1, 'USER_INPUT_GOES_HERE');">test</a> USER_INPUT is sent through htmlentities($str, ENT_QUOTES, 'UTF-8'); The result is the following then: <html><body> <script type="text/javascript"> function example(a, b) { alert('valid alert; params: '+ a+', '+b); } </script> <a href="javascript:void(0);" onclick="example(1, 'param2" foo');alert(document.cookie);alert('');">test</a> </body></html> My browsers will alert the document.cookie. Please confirm this (and keep in mind that document.cookie is just empty when tested locally). Regards
From: Michiel Sikma on 24 Apr 2010 10:11 On 23 April 2010 14:21, Jan G.B. <ro0ot.w00t(a)googlemail.com> wrote: > Hi List, > > I just figured, that the Browsers on my system do interpret ' > inside href or onclick attribute as a plain '. > > Imagine the user input is the following line: > > param2" foo';);alert(document.cookie);alert(' > > Which is being written by the script like that: > > <a href="javascript:void(0);" onclick="test(1, > 'USER_INPUT_GOES_HERE');">test</a> > > USER_INPUT is sent through htmlentities($str, ENT_QUOTES, 'UTF-8'); > > The result is the following then: > > <html><body> > <script type="text/javascript"> > function example(a, b) { > alert('valid alert; params: '+ a+', '+b); > } > </script> > > <a href="javascript:void(0);" onclick="example(1, 'param2" > foo');alert(document.cookie);alert('');">test</a> > </body></html> > > > My browsers will alert the document.cookie. > Please confirm this (and keep in mind that document.cookie is just > empty when tested locally). > > > Regards > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > Yes, ' is the same as a single quote. But let's say you set up your page like this: http://pastie.org/932923 Submitting the form will change the $input variable that's also added to the Javascript below. So in theory, you should be able to submit, say, '+window.very_important_variable+' in order to get an alert with the secret number 255 in it. But when submitting that text in the form, the & actually gets converted to &, causing the alert() to literally print the string '. When submitting a real single quote, it gets converted to \', printing a literal '. The only way to get to the window.very_important_variable is by removing the htmlentities() function in the PHP code. The test case you added is incorrect, since properly sanitized input would never have an actual, non-escaped ' in it. Michiel
|
Pages: 1 Prev: Structured PHP studying Next: creating a PHP wrapper script? |