5

I know this question was discussed on net various times. and people give some example how to bypass these functions through passing some code. But here one issue, All example of htmlentities/htmlspecialchars is related when we embed as attribute value like

<a href="" title="<?php echo htmlentities([XSS_CODE]) ?>"></a>

OR 

<img onerror="<?php echo htmlentities([XSS_CODE]) ?>" />

But if I need to show data as content like below.

<div><?php echo htmlentities([XSS_CODE]) ?></div>

How it could be insecure. As code will not have trigger/events just like in case of attributes have, This should safe in all cases.

I studied https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet . Almost all examples for XSS attack/filter bypass not works for given case. I tried hex encoded value of < & > as given in last para of url, But that again failed and displyed simply as data.

I actually have doubt over https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Character_escape_sequences which have some combination which not handled by htmlentities like \x3c, \u003c, %3C. While I myself unable to produce and exploit using them.

I tried example like

$code = "\x3cstrong\x3eHello World\x3\cstrong\x3e";
// OR
$code = "\u003cstrongu003eHello Worldu003c\cstrongu003e";


<div><?php echo htmlentities($code); ?></div>

Note : I tried all attacks on Firfox 40 in Ubuntu machine.

kuldeep.kamboj
  • 183
  • 1
  • 7
  • Welcome. What about [this](http://security.stackexchange.com/questions/67504/is-addslashes-htmlentities-sufficiently-secure) and [that](http://security.stackexchange.com/questions/10857/will-htmlspecialchars-php-be-enough-for-making-secure-pdf-files-with-user-ente) questions? –  Sep 21 '15 at 14:31
  • @Begueradj None of questions talk about specific scenario, but talk about general rules to prevent attacks. – kuldeep.kamboj Sep 21 '15 at 14:39
  • your example shouldn't be insecure. htmlentities is what is recommended to prevent XSS (as you also mentioned, [htmlentities is not enough in some locations](https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet), but in the general case it's secure). Just out of interest: In your question, you imply that your first example would not be secure. How can the title attribute of a link lead to XSS? – tim Sep 21 '15 at 15:40
  • @tim I searched and found link having example for span with title attriute for XSS exploit. Don't know if anchor tag behave differently. http://blog.astrumfutura.com/2012/03/a-hitchhikers-guide-to-cross-site-scripting-xss-in-php-part-1-how-not-to-use-htmlspecialchars-for-output-escaping/ – kuldeep.kamboj Sep 22 '15 at 05:12

2 Answers2

6

htmlentities is the better function to use as it encodes all possible characters.

The only way I can see XSS being achieved in your example is with Internet Explorer if the charset is set to UTF-7.

If your charset is UTF-7 then

+ADw-script+AD4-alert(document.location)+ADw-/script+AD4-

becomes

<script>alert(document.location)</script>

when interpreted by the browser. Additionally, htmlentities does not cause any encoding of the characters.

Bear in mind that only old versions of Internet Explorer will auto detect UTF-7 - it would need to be explicitly set in modern versions (either by the website author or by the attacker using some other vector) - see this answer.

Community
  • 1
SilverlightFox
  • 33,408
  • 6
  • 67
  • 178
  • if I set charset utf8 in meta tag of page ``. Is this safe against UTF7 hack on older IE browsers ? – kuldeep.kamboj Sep 22 '15 at 11:50
  • Yes, as long as it right at the start of the page. [Some browsers only scan the first 512 bytes looking for charset directives](https://developer.mozilla.org/en/docs/Web/HTML/Element/meta). – SilverlightFox Oct 07 '15 at 08:36
1

When a browser parses an event attribute like "onerror", it first HTML decodes the value of the attribute, and then sends it to the JS engine for execution. That is why it is not enough to only HTML encode user content you are inserting in such attributes.

In contrast, when a browser parses a <script> tag, it does not HTML decode it's content. It just forwards its content to the JS engine for execution.

Similarly, when you insert user content between <div> tags, I do not see a way XSS could be possible if the user data is HTML encoded because the browser does no decoding except of course only for presenting the encoded characters on screen.

And I have no idea how the title attribute of the <a> tag could lead to XSS if it's content is HTML encoded and it is double quoted. Please let me know if you know how :)

pineappleman
  • 2,279
  • 11
  • 21
  • I searched and found link having example for span with title attriute for XSS exploit. Don't know if anchor tag behave differently. http://blog.astrumfutura.com/2012/03/a-hitchhikers-guide-to-cross-site-scripting-xss-in-php-part-1-how-not-to-use-htmlspecialchars-for-output-escaping/ – kuldeep.kamboj Sep 22 '15 at 05:12
  • But still title is just attribute, which could be decoded by html or only event attributes can be decoded ? – kuldeep.kamboj Sep 22 '15 at 05:14
  • See my updates in question for attack I tried which should not handled by htmlentities but they still now work. – kuldeep.kamboj Sep 22 '15 at 05:21