New encoding function needed for template literal context (string literals)

Question

New encoding function needed for template literal context (string literals)

veita opened this issue 6 years ago · comments

Encode.forJavaScript is intended to

Encode for a JavaScript string. It is safe for use in HTML script attributes (such as onclick), script blocks, JSON files, and JavaScript source. The caller MUST provide the surrounding quotation characters for the string.

However, the string

input = "hell`;alert(1);`o"

encoded with Encode.forJavaScript produces the following output which allows for XSS.

<!DOCTYPE html>
<html>
  <body>
  <script>
  // var data = `<%=Encode.forJavaScript(input)%>`;
  var data = `hell`;alert(1);`o`;
  </script>
  </body>
</html>

Related: #14

Alexander Veit · Answer 1 · Wed Aug 01 2018 04:08:46 GMT+0800 (China Standard Time)

I think RULE #3 of the original OWASP XSS Prevention Cheat Sheet

Except for alphanumeric characters, escape all characters less than 256 with the \xHH format [...]

would handle this case correctly.

Alexander Veit · Answer 2 · Wed Aug 01 2018 04:30:04 GMT+0800 (China Standard Time)

Template literals are in the JavaScript standard since ECMAScript 2015 Language Specification 6th Edition, June 2015. See the link I've posted in my first comment above.

Jim Manico · Answer 3 · Wed Aug 01 2018 04:32:57 GMT+0800 (China Standard Time)

This library does not currently support string liberals with the JavaScript encoding functions. I deleted several of the comments above to clear up this thread; some of our comments crossed. I follow you now. I'll add a feature request for a string literal escaping function or similar and will get Jeff involved.

Alexander Veit · Answer 4 · Wed Aug 01 2018 04:34:30 GMT+0800 (China Standard Time)

Jim, thank you very much.
-Alex

Jeff Ichnowski · Answer 5 · Wed Aug 01 2018 12:28:39 GMT+0800 (China Standard Time)

The above use case would be better handled by using strings instead of template literals. But I assume this is just mentioned as a demonstration, and that there is a valid use case for embedding server side data in a template literal. An easy way to do it right now would be to embed the server-side string in the template literal by surrounding it with ${" and "} and escaping it. Hopefully this can provide a useful crutch for now:

<!DOCTYPE html>
<html>
  <body>
  <script>
  // var data = `${"<%=Encode.forJavaScript(input)%>"}`;
  var data = `${"hell`;alert(1);`o"}`;  // does not pop alert
  </script>
  </body>
</html>

My recommendation, however, would be to instead escape the content to a JavaScript variable, and then use a template literal that references the variable, e.g.:

    var input = "<$= Encode.forJavaScript(input) $>";
    var data = `Here's your input: ${ input }, hope it's not XSS!`;

Jim Manico · Answer 6 · Thu Aug 16 2018 03:25:10 GMT+0800 (China Standard Time)

After talking with @jeffi we decided to politely close this out and not add a new encoding method. I'll update the wiki to address this issue per Jeff's comments.

Jim Manico · Answer 7 · Thu Aug 16 2018 03:38:26 GMT+0800 (China Standard Time)

Wiki text added https://www.owasp.org/index.php/OWASP_Java_Encoder_Project#tab=Encoding_and_Template_Literals

Alexander Veit · Answer 8 · Thu Aug 16 2018 06:47:07 GMT+0800 (China Standard Time)

Would there really be the need to create a new encoding method?

From my naive point of view template literals are just a third kind of string literals delimited by backticks instead of single or double quotes.

So my guess is that it would suffice to let the existing Encode.forJavaScript output \x60 for any occurrence of the backtick.