StringTools.htmlEscape

75 views
Skip to first unread message

Justin Donaldson

unread,
Oct 30, 2012, 6:02:33 PM10/30/12
to Haxe
I was wondering why the base StringTools.htmlEscape didn't escape as many characters as some of the other libs:
StringTools doesn't handle quotes, or backslashes in 2.10

It seems that this set of escapes is somehow recommended by a few "authorities":

I'm currently using a much larger set of escapes, related to this post:

But, it's probably overkill for some cases.

It seems there's an order of escape context that carries greater risk (from low-risk, to high-risk).
  1. inserting text into html attributes
  2. inserting text into html elements
  3. inserting text into script elements
I think the standard library should at least cover case 1 (e.g. as underscore manages it), and extended web framework libraries could cover case 2.  Case 3 is probably too broad to be covered practically by a single universal method or library.

Best,
-Justin

--
blog: http://www.scwn.net
twitter: sudojudo

Nicolas Cannasse

unread,
Oct 31, 2012, 5:47:49 AM10/31/12
to haxe...@googlegroups.com
Le 30/10/2012 23:02, Justin Donaldson a �crit :
> I was wondering why the base StringTools.htmlEscape didn't escape as
> many characters as some of the other libs:
> http://documentcloud.github.com/underscore/#escape
> StringTools doesn't handle quotes, or backslashes in 2.10
>
> It seems that this set of escapes is somehow recommended by a few
> "authorities":
> https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content

Originaly htmlEscape has been though to allow injecting data in the HTML
flow, i.e. not in attributes.

We could indeed add support for " ' and \ for attributes values, but I'm
not sure which kind of consequences this might bring on existing code base.

I'll however go with the recommended behavior.

Best,
Nicolas

Justin Donaldson

unread,
Oct 31, 2012, 11:21:47 AM10/31/12
to haxe...@googlegroups.com

Thanks, the other characters make sense to me after reading more about xss.  I will test the new behavior and see if I run into any other issues.

Note that i had attributes and elements backwards...  inserting to attributes is more dangerous than elements as it requires more escapes. 

On Oct 31, 2012 2:47 AM, "Nicolas Cannasse" <ncan...@gmail.com> wrote:
--
To post to this group haxe...@googlegroups.com
http://groups.google.com/group/haxelang?hl=en



Nicolas Cannasse

unread,
Oct 31, 2012, 2:14:39 PM10/31/12
to haxe...@googlegroups.com
Le 31/10/2012 16:21, Justin Donaldson a �crit :
> Thanks, the other characters make sense to me after reading more about
> xss. I will test the new behavior and see if I run into any other issues.

Note : I have added both " <-> &quot; and ' <-> &#039; support, I didn't
add slash / support (not sure why it needs to be escaped BTW)

Best,
Nicolas

Tarwin Stroh-Spijer

unread,
Oct 31, 2012, 2:49:58 PM10/31/12
to haxe...@googlegroups.com
Is there a specific RFC that this function implements? Or is it specific to haxe?


Tarwin Stroh-Spijer
_______________________

Touch My Pixel
http://www.touchmypixel.com/
cell: +1 650 842 0920
_______________________


On Wed, Oct 31, 2012 at 11:14 AM, Nicolas Cannasse <ncan...@gmail.com> wrote:
Le 31/10/2012 16:21, Justin Donaldson a écrit :

Thanks, the other characters make sense to me after reading more about
xss.  I will test the new behavior and see if I run into any other issues.

Note : I have added both " <-> &quot; and ' <-> &#039; support, I didn't add slash / support (not sure why it needs to be escaped BTW)


Best,
Nicolas

Justin Donaldson

unread,
Oct 31, 2012, 2:56:25 PM10/31/12
to haxe...@googlegroups.com

Note : I have added both " <-> &quot; and ' <-> &#039; support, I didn't add slash / support (not sure why it needs to be escaped BTW)

The note from the XSS guide says:


 / --> &#x2F;     forward slash is included as it helps end an HTML entity

I can't find an attack mentioned for this specific scenario though.

Justin Donaldson

unread,
Oct 31, 2012, 4:49:08 PM10/31/12
to haxe...@googlegroups.com
Here's a gist with my extended escape methods, in case anyone is interested


This should cover more scenarios, but it's still not a perfect solution, and will be slower.  

Here's owasp's escape method, in Java:

That's probably a good starting point for a server-side haxe web framework method.


-Justin

Andreas Mokros

unread,
Oct 31, 2012, 6:05:17 PM10/31/12
to haxe...@googlegroups.com
Hi.

On Wed, 31 Oct 2012 13:49:08 -0700
Justin Donaldson <jdona...@gmail.com> wrote:
> This should cover more scenarios, but it's still not a perfect
> solution,

Different flags for different use cases, especially for quotes might
make sense here, like in PHP htmlspecialchars:
http://php.net/manual/de/function.htmlspecialchars.php

I also think a flag to avoid double-encoding of existing entities is
quite useful...

--
Mockey

Justin Donaldson

unread,
Dec 28, 2012, 12:16:45 AM12/28/12
to haxe...@googlegroups.com

Here's a few more gotchas, and a link to a relevant Google method
https://medium.com/joys-of-javascript/42a28471221d

Reply all
Reply to author
Forward
0 new messages