You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@sling.apache.org by Andreas Schaefer <sc...@me.com.INVALID> on 2022/10/05 17:00:32 UTC
XSSAPI.encodeForHTMLAttr() does not handle code injection
Hi
When I use XSSAPI.encodeForHTMLAttr() with this value:
/content/dam/test-folder/"><img src=x onerror=alert(document.cookie)>.html
The resulting html tag will be closed on the <img> tag is injected.
I would assume that a method like this will not allow the HTML Attribute to be closed let alone to close the tag altogether.
Is there a way to fix that within the Sling XSS suite ?
Is that a shortcoming / bug ?
Thanks - Andy
Re: XSSAPI.encodeForHTMLAttr() does not handle code injection
Posted by Eric Norman <en...@apache.org>.
Hi Andy,
Can you clarify which version of the XSS bundle you are using?
I tried this in the 2.3.x XSS codebase. When I plug your string into the
XSSAPIImplTest#dataForEncodeToHtmlAttr
<https://github.com/apache/sling-org-apache-sling-xss/blob/7a9ed4c18cfacaa3a270ba0bc286b7d5e67cb00e/src/test/java/org/apache/sling/xss/impl/XSSAPIImplTest.java#L292>
test
data I get the following as the output:
/content/dam/test-folder/"><img src=x
onerror=alert(document.cookie)>.html
Regards,
Eric
On Wed, Oct 5, 2022 at 10:00 AM Andreas Schaefer <sc...@me.com.invalid>
wrote:
> Hi
>
> When I use XSSAPI.encodeForHTMLAttr() with this value:
>
> /content/dam/test-folder/"><img src=x onerror=alert(document.cookie)>.html
>
> The resulting html tag will be closed on the <img> tag is injected.
>
> I would assume that a method like this will not allow the HTML Attribute
> to be closed let alone to close the tag altogether.
>
> Is there a way to fix that within the Sling XSS suite ?
> Is that a shortcoming / bug ?
>
> Thanks - Andy