2

In JavaScript, is there any known string that can cause mischief if we filter out all 'less than' ('<') characters then display the result as HTML? 

var str = GetDangerousString().toString();
var secure = str.replace(/</g, '');

$('#safe').html(secure); // or
document.getElementById('safe').innerHTML = secure;

This question addresses sanitizing ID's in particular. I'm looking for a general HTML string. Ideal answer is the simplest working example of a string that would inject code or other potentially dangerous elements.

Community
  • 1
  • 1
hamboy
  • 727
  • 2
  • 8
  • 21
  • 1
    Possible duplicate of [Sanitizing user input before adding it to the DOM in Javascript](http://stackoverflow.com/questions/2794137/sanitizing-user-input-before-adding-it-to-the-dom-in-javascript) – random_user_name Dec 25 '15 at 00:37
  • 3
    Better use `textContent` – Oriol Dec 25 '15 at 00:39

1 Answers1

0

That's not enough for sure... You need to HTML encode any HTML you embed in your pages that you want to be editable by an end user. Otherwise, you need to sanitize it.

You can find out more here at the Owasp site

EDIT: In response to your comment, I'm not 100% sure. It sounds like double encoding will get you in some cases if you're not careful.

https://www.owasp.org/index.php/Double_Encoding

For example, this string from that page is supposed to demonstrate an exploit that hides the "<" character:

%253Cscript%253Ealert('XSS')%253C%252Fscript%253E

Also, the character "<" can be encoded lots of different ways in HTML, as suggested by this table:

https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Character_escape_sequences

So to me, that's the thing to be careful of - the fact that there may be exploitable cases that are hard to understand, but may leave you open.

But back to your original question - can you give me an example of HTML that renders as HTML that doesn't contain the "<" character? I'm trying to understand what HTML you want users to be able to use that would be in an "id".

Also, if your site is small, if you're open to rewriting parts of it (specifically how you use javascript in your pages), then you could consider using Content Security Policies to protect your users from XSS. This works in most modern browsers, and would protect lots of your users from XSS attacks if you were to take this step.

Brad Parks
  • 66,836
  • 64
  • 257
  • 336
  • 1
    Do you have an example string? – hamboy Dec 29 '15 at 00:03
  • I'm no pro on this, but have had to deal with this topic on a few sites, with multiple developers. I've edited my answer and added some info above ^^^. – Brad Parks Dec 29 '15 at 12:18
  • Upon putting the string "%253Cscript%253Ealert('XSS')%253C%252Fscript%253E" in a website I do not see a possible bypass done, am I missing something? When all I want is to put some text from a user on a web page isn't filtering < and > enough? – circl Mar 22 '23 at 14:19
  • @circl - I would say it's not enough - as soon as you try and write that text to the document, it may be decoded, and turn into the < and > - so you have to sanitize, or html encode. More details [here](https://stackoverflow.com/q/22644385/26510) and [possibly here](https://stackoverflow.com/a/41385970/26510) – Brad Parks Mar 22 '23 at 14:40