A JavaScript Security Flaw

The following is a JavaScript security flaw:

<script>
  var str = "</script><script>alert('Pwned');</script>";
</script>

Don’t believe me? Try it for yourself. The browser ignores the fact that the <script> tags are inside a JavaScript String, invoking the alert() function.

The reason for this odd behavior is that the page gets rendered in various stages. First the HTML is parsed, and a render tree created. Only then, is the JavaScript actually executed. In the example above, the render tree see the <script> tags, and is oblivious to the fact that they’re inside a string; it has no concept of JavaScript. It strips these out, and evaluates the script nodes as usual with our injected message.

This behavior would be little more than a curiosity, were it not for the common pattern of injecting JSON into documents, say with ERB.

<script>
  var users = <%= @users.to_json.html_safe %>;
</script>

If you have the line above anywhere in your code, and @users includes some user submitted data, your application is vulnerable to a XSS attack.

If you’re using Rails, you can thwart this vulnerability by setting ActiveSupport.escape_html_entities_in_json to true. The default is false.

 
1,027
Kudos
 
1,027
Kudos

Read this next

When you should quit your job

I have a simple rule for quitting jobs, and it has served me pretty well in the past. You should quit your job when you stop loving your job. Sounds straightforward, but how do you define that? Well, I believe the definition of whether... Continue →