Javascript errors with encoded apostrophe and possible XSS vulnerabilityin IE 7

Discussion in 'Internet Explorer' started by Kristian Herpel, Feb 20, 2007.

  1. Hello,

    I've got a reproducible problem with Internet Explorer 7 (lastest update
    installed 7.0.5730.11):

    If I add an apostrophe encoded as html entity ' to a string
    parameter of a javascript method call, the call results in a javascript
    error, e.g.:

    <html>
    <head>
    <script type="text/javascript">
    <!--
    function myTest(parameter) { alert(parameter); }
    //-->
    </script>
    </head>
    <body>
    <!-- results in a javascript error -->
    <a href="#" onclick="myTest('M'essage'); return true;">test</a>
    </body>

    It seems that the encoded apostrophe is converted back to the ascii
    sign. But if I add the encoded apostrophe to a attribute of a html tag
    the apostrophe isn't converted to the ascii sign, e.g.:

    <!-- title is displayed with the apostrophe -->
    <a href="#" title='M'essage'>test</a>

    Both versions are working in IE 6 and Mozilla without any problems. Is
    this a IE 7 bug or is this the default behavior for this version? Are
    there any workaround besides converting all occurrences into another
    html entity like the right single quotation mark (&rsquo; or ’)?


    The problem might also be exploited for XSS (cross-site scripting) if
    any input parameter containing the apostrophe sign is replaced by the
    html entity ' , e.g.:

    // normally the paramValue is converted from an input parameter
    String paramValue = "';);alert(document);myTest('";
    [...]
    <!-- output of the converted
    <a href="#" onclick="myTest('<%=paramValue %>'); return true;">test</a>


    Thanks,
    Kristian
     
    Kristian Herpel, Feb 20, 2007
    #1
    1. Advertisements

  2. Kristian Herpel

    //erlin! Guest

    Why would you use encoding when you can simply escape it?
     
    //erlin!, Feb 20, 2007
    #2
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.