Javascript is executed before the Filter? Cross site scripting...

[foxesout <nk...@escholar.com>]

Hello,
I have a Click application and to safeguard the app from Cross Site
Scripting we are stripping off all of the < and > request tags in our
Filter.  It works when the user enters something with these greater than or
less than tags into the input fields of the page.  
But when we modify the URL itself with something like 
=</td>

We still get an alert on the page even though we see in our logs that the
request goes through the filter and the tags get stripped off.
But it looks like the java script gets executed before we hit the filter. 
We have the same set up in the other Struts application and this doesn't
happen.

Any suggestions?

--
View this message in context: http://click.1134972.n2.nabble.com/Javascript-is-executed-before-the-Filter-Cross-site-scripting-tp7392633p7392633.html
Sent from the click-user mailing list archive at Nabble.com.

Re: Javascript is executed before the Filter? Cross site scripting...

[foxesout <nk...@escholar.com>]

Bob,

Here is the URL that looks exactly like the URL of my application aside from
the context path:

http://click.avoka.com/click-examples/table/table-sorting.htm?actionLink=table-controlLink&column=</td>check&page=0

When I do the above with my application - I get an alert on some of the
pages.

When I actually use the above link - I don't get an alert, but I see a
message at the top of the page "Internet Explorer has modified this page to
help prevent cross-site scripting...."
My application also gives me this message sometimes instead of the alert,
not sure why some pages get an alert and some just this message, but I
believe the same thing is happening in all of these cases.
I believe the browser is actually encoding the script tags and that is why
this message comes up instead of the alert...
Thanks for looking at this!




--
View this message in context: http://click.1134972.n2.nabble.com/Javascript-is-executed-before-the-Filter-Cross-site-scripting-tp7392633p7398497.html
Sent from the click-user mailing list archive at Nabble.com.

Re: Javascript is executed before the Filter? Cross site scripting...

[Bob Schellink <sa...@gmail.com>]

Hi,

I'm still confused as to how you get a JavaScript alert.

Here is a sort example:
http://click.avoka.com/click-examples/table/table-sorting.htm

What do you change in the url to get the alert?

Can you post the url here?

kind regards

Bob

On Wed, Mar 21, 2012 at 7:18 PM, foxesout <nk...@escholar.com> wrote:
> Bob,
> Thanks for your reply.
> This is done as part of the cross site scripting testing, so what we put in
> the URL may seem strange but it reveals the possible volnurabilities.
>
> No - i don't have these variables displayed on the pages, they are not part
> of the Velocity Templates.
>
> This happens during the sort for example.  If you click on a column to sort
> and then in the URL substitute that column name with something that has  or
> similar, you will get a java script alert.  Or an ID parameter that is bound
> on the page but not displayed, if substituted with an above string - will
> get you an alert.
>
> Is there a way to catch this?
>
> Thanks so much for the help.
>
> --
> View this message in context: http://click.1134972.n2.nabble.com/Javascript-is-executed-before-the-Filter-Cross-site-scripting-tp7392633p7392891.html
> Sent from the click-user mailing list archive at Nabble.com.

Re: Javascript is executed before the Filter? Cross site scripting...

[foxesout <nk...@escholar.com>]

Bob,
Thanks for your reply.
This is done as part of the cross site scripting testing, so what we put in
the URL may seem strange but it reveals the possible volnurabilities.

No - i don't have these variables displayed on the pages, they are not part
of the Velocity Templates.

This happens during the sort for example.  If you click on a column to sort
and then in the URL substitute that column name with something that has  or
similar, you will get a java script alert.  Or an ID parameter that is bound
on the page but not displayed, if substituted with an above string - will
get you an alert. 

Is there a way to catch this?

Thanks so much for the help.

--
View this message in context: http://click.1134972.n2.nabble.com/Javascript-is-executed-before-the-Filter-Cross-site-scripting-tp7392633p7392891.html
Sent from the click-user mailing list archive at Nabble.com.

Re: Javascript is executed before the Filter? Cross site scripting...

[Bob Schellink <sa...@gmail.com>]

Hi,

On 21/03/2012 17:54 PM, foxesout wrote:
> Hello,
> I have a Click application and to safeguard the app from Cross Site
> Scripting we are stripping off all of the<  and>  request tags in our
> Filter.  It works when the user enters something with these greater than or
> less than tags into the input fields of the page.
> But when we modify the URL itself with something like
> =</td>

Not sure what you mean here? You put a table cell in the url? You can place a breakpoint in your 
filter to check which parameters are escaped.
>
> We still get an alert on the page even though we see in our logs that the
> request goes through the filter and the tags get stripped off.
> But it looks like the java script gets executed before we hit the filter.
Javascript is executed in the browser. The filter is run on the server.
Do you place the variable in your Velocity templates which is then executed? I personally don't 
filter input as there might be use cases where you do want a < or > ie., mathematical formulas or 
input of some kind of markup.

Instead I escape the variables at rending time. In your templates you can do something like:

$format.escape($var)

regards

Bob


> We have the same set up in the other Struts application and this doesn't
> happen.
>
> Any suggestions?
>
> --
> View this message in context: http://click.1134972.n2.nabble.com/Javascript-is-executed-before-the-Filter-Cross-site-scripting-tp7392633p7392633.html
> Sent from the click-user mailing list archive at Nabble.com.
>