additional tags are removed along with half open vulnarable tags <IMG SRC="javascript:alert('XSS')

52 views
Skip to first unread message

Rasmita Mahapatra

unread,
Feb 7, 2018, 5:39:47 AM2/7/18
to OWASP Java HTML Sanitizer Support
On Sanitization the vulnerable content is removed but it removes the other tag which is after the open tag.
 
 Input :             <IMG SRC="javascript:alert('XSS')
                        <pre class="moz-signature" cols="72">-- 
                                       xxxxx India Pvt Ltd

                                      Bangalore
                         </pre>


Out put: <img class="moz-signature" />-- 
xxxxx India Pvt Ltd

Bangalore

Issues seen: pre tag is removed and the class is added to img tag the alert is removed but I am loosing the style completely and the 

This looks like a bug.

Mike Samuel

unread,
Feb 7, 2018, 9:02:07 AM2/7/18
to OWASP Java HTML Sanitizer Support


<IMG SRC="javascript:alert('XSS')
<pre class="moz-signature" cols="72">

is a single tag that is equivalent to

<img src="javascript:alert('XSS')&#10;&lt;pre class&#61;" cols="72">


Notice that there is no closing double quote nor a closing '>' after javascript:alert('XSS').



--
You received this message because you are subscribed to the Google Groups "OWASP Java HTML Sanitizer Support" group.
To unsubscribe from this group and stop receiving emails from it, send an email to owasp-java-html-sanitizer-support+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Rasmita Mahapatra

unread,
Feb 20, 2018, 12:18:23 AM2/20/18
to OWASP Java HTML Sanitizer Support


On Wednesday, February 7, 2018 at 7:32:07 PM UTC+5:30, Mike Samuel wrote:


<IMG SRC="javascript:alert('XSS')
<pre class="moz-signature" cols="72">

is a single tag that is equivalent to

<img src="javascript:alert('XSS')&#10;&lt;pre class&#61;" cols="72">


Notice that there is no closing double quote nor a closing '>' after javascript:alert('XSS').
In that case the out put should be  <img /> but the output is  <img class="moz-signature" /> the class attribute is identified. moreover <pre> is a valid html element why its not identified by the sanitizer.
Rasmita

Mike Samuel

unread,
Feb 20, 2018, 12:27:47 AM2/20/18
to OWASP Java HTML Sanitizer Support


On Feb 20, 2018 12:18 AM, "Rasmita Mahapatra" <rasm...@gmail.com> wrote:


On Wednesday, February 7, 2018 at 7:32:07 PM UTC+5:30, Mike Samuel wrote:


<IMG SRC="javascript:alert('XSS')
<pre class="moz-signature" cols="72">

is a single tag that is equivalent to

<img src="javascript:alert('XSS')&#10;&lt;pre class&#61;" cols="72">


Notice that there is no closing double quote nor a closing '>' after javascript:alert('XSS').
In that case the out put should be  <img /> but the output is  <img class="moz-signature" /> the class attribute is identified. moreover <pre> is a valid html element why its not identified by the sanitizer.

<pre> is a valid element but not one that appears in this fragment of HTML as I've explained.  What looks like a pre tag to you is actually part of the img tag -- a tag continues until a '>' closes it.  Line breaks have no effect on where tags end.
Reply all
Reply to author
Forward
0 new messages