Re: htmlentitites ENT_QUOTES in HTML attributes?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 23 April 2010 14:21, Jan G.B. <ro0ot.w00t@xxxxxxxxxxxxxx> wrote:

> Hi List,
>
> I just figured, that the Browsers on my system do interpret &#039;
> inside href or onclick attribute as a plain '.
>
> Imagine the user input is the following line:
>
> param2" foo';);alert(document.cookie);alert('
>
> Which is being written by the script like that:
>
> <a href="javascript:void(0);" onclick="test(1,
> 'USER_INPUT_GOES_HERE');">test</a>
>
> USER_INPUT is sent through htmlentities($str, ENT_QUOTES, 'UTF-8');
>
> The result is the following then:
>
> <html><body>
> <script type="text/javascript">
> function example(a, b) {
>  alert('valid alert; params: '+ a+', '+b);
> }
> </script>
>
> <a href="javascript:void(0);" onclick="example(1, 'param2&quot;
> foo&#039;);alert(document.cookie);alert(&#039;');">test</a>
> </body></html>
>
>
> My browsers will alert the document.cookie.
> Please confirm this (and keep in mind that document.cookie is just
> empty when tested locally).
>
>
> Regards
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>

Yes, &#039; is the same as a single quote. But let's say you set up your
page like this:

http://pastie.org/932923

Submitting the form will change the $input variable that's also added to the
Javascript below. So in theory, you should be able to submit, say,
&#039;+window.very_important_variable+&#039; in order to get an alert with
the secret number 255 in it. But when submitting that text in the form, the
& actually gets converted to &amp;, causing the alert() to literally print
the string &#039;. When submitting a real single quote, it gets converted to
\&#039;, printing a literal '.

The only way to get to the window.very_important_variable is by removing the
htmlentities() function in the PHP code. The test case you added is
incorrect, since properly sanitized input would never have an actual,
non-escaped &#039; in it.

Michiel

[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux