XSS - No escaping, but not rendering

Question

I have a site where a page http://www.example.com/errorpage.html?errmsg="Some error string"

This error string is then rendered into the webpage in a <p class="error">Some error string</p> fashion server side, then the HTML is sent to the client.

I've been trying for the past while to see if I can escape this and change the markup without success.

Is it even possible, or is the page secure.

Thanks -Mitchell

@Mitchell Define *"doesn't work"*. Does it produce an alert? Do you see the ` — Phil, Mar 04 '13 at 00:31
@Mitchell Sounds like you're doing the right thing then but without seeing some code, there could be other vulnerabilities — Phil, Mar 04 '13 at 00:32
Unfortunately, I'm not at liberty to release code, or link to the page(the product is unfinished) — Mitchell, Mar 04 '13 at 00:33
Thanks everyone for your advice though. I'll bring it up in the next meeting just to be safe — Mitchell, Mar 04 '13 at 00:34

score 3 · Answer 1 · answered Mar 04 '13 at 00:30

3

This site has a pretty comprehensive list of CSS/XSS exploits, along with specific examples. Allowing an error message to be rendered through a query parameter is pretty suspect though, and even if none of these vectors work, that's no guarantee that some vector won't arise in the future.

answered Mar 04 '13 at 00:30

lmortenson

1,610
11
11

3

My go-to list is https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet – Waleed Khan Mar 04 '13 at 00:39

XSS - No escaping, but not rendering

1 Answers1