On 23 April 2010 14:21, Jan G.B. <ro0ot.w00t@xxxxxxxxxxxxxx> wrote:
> Hi List,
>
> I just figured, that the Browsers on my system do interpret '
> inside href or onclick attribute as a plain '.
>
> Imagine the user input is the following line:
>
> param2" foo';);alert(document.cookie);alert('
>
> Which is being written by the script like that:
>
> <a href="javascript:void(0);" onclick="test(1,
> 'USER_INPUT_GOES_HERE');">test</a>
>
> USER_INPUT is sent through htmlentities($str, ENT_QUOTES, 'UTF-8');
>
> The result is the following then:
>
> <html><body>
> <script type="text/javascript">
> function example(a, b) {
> alert('valid alert; params: '+ a+', '+b);
> }
> </script>
>
> <a href="javascript:void(0);" onclick="example(1, 'param2"
> foo');alert(document.cookie);alert('');">test</a>
> </body></html>
>
>
> My browsers will alert the document.cookie.
> Please confirm this (and keep in mind that document.cookie is just
> empty when tested locally).
>
>
> Regards
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
Yes, ' is the same as a single quote. But let's say you set up your
page like this:
http://pastie.org/932923
Submitting the form will change the $input variable that's also added to the
Javascript below. So in theory, you should be able to submit, say,
'+window.very_important_variable+' in order to get an alert with
the secret number 255 in it. But when submitting that text in the form, the
& actually gets converted to &, causing the alert() to literally print
the string '. When submitting a real single quote, it gets converted to
\', printing a literal '.
The only way to get to the window.very_important_variable is by removing the
htmlentities() function in the PHP code. The test case you added is
incorrect, since properly sanitized input would never have an actual,
non-escaped ' in it.
Michiel
