From: "Jan G.B." on
Hi List,

I just figured, that the Browsers on my system do interpret '
inside href or onclick attribute as a plain '.

Imagine the user input is the following line:

param2" foo';);alert(document.cookie);alert('

Which is being written by the script like that:

<a href="javascript:void(0);" onclick="test(1,
'USER_INPUT_GOES_HERE');">test</a>

USER_INPUT is sent through htmlentities($str, ENT_QUOTES, 'UTF-8');

The result is the following then:

<html><body>
<script type="text/javascript">
function example(a, b) {
alert('valid alert; params: '+ a+', '+b);
}
</script>

<a href="javascript:void(0);" onclick="example(1, 'param2&quot;
foo&#039;);alert(document.cookie);alert(&#039;');">test</a>
</body></html>


My browsers will alert the document.cookie.
Please confirm this (and keep in mind that document.cookie is just
empty when tested locally).


Regards
From: Michiel Sikma on
On 23 April 2010 14:21, Jan G.B. <ro0ot.w00t(a)googlemail.com> wrote:

> Hi List,
>
> I just figured, that the Browsers on my system do interpret &#039;
> inside href or onclick attribute as a plain '.
>
> Imagine the user input is the following line:
>
> param2" foo';);alert(document.cookie);alert('
>
> Which is being written by the script like that:
>
> <a href="javascript:void(0);" onclick="test(1,
> 'USER_INPUT_GOES_HERE');">test</a>
>
> USER_INPUT is sent through htmlentities($str, ENT_QUOTES, 'UTF-8');
>
> The result is the following then:
>
> <html><body>
> <script type="text/javascript">
> function example(a, b) {
> alert('valid alert; params: '+ a+', '+b);
> }
> </script>
>
> <a href="javascript:void(0);" onclick="example(1, 'param2&quot;
> foo&#039;);alert(document.cookie);alert(&#039;');">test</a>
> </body></html>
>
>
> My browsers will alert the document.cookie.
> Please confirm this (and keep in mind that document.cookie is just
> empty when tested locally).
>
>
> Regards
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>

Yes, &#039; is the same as a single quote. But let's say you set up your
page like this:

http://pastie.org/932923

Submitting the form will change the $input variable that's also added to the
Javascript below. So in theory, you should be able to submit, say,
&#039;+window.very_important_variable+&#039; in order to get an alert with
the secret number 255 in it. But when submitting that text in the form, the
& actually gets converted to &amp;, causing the alert() to literally print
the string &#039;. When submitting a real single quote, it gets converted to
\&#039;, printing a literal '.

The only way to get to the window.very_important_variable is by removing the
htmlentities() function in the PHP code. The test case you added is
incorrect, since properly sanitized input would never have an actual,
non-escaped &#039; in it.

Michiel