2

As mentioned in Owasp Output_Encoding_Rules_Summary why do we need to escape all character except for alphanumeric characters[escape all characters with the HTML Entity &#xHH; format, including spaces].

Is it possible to do xss attack if an html attribute enclosed within double quote(") and we are escaping only five character

Note: exclue javascript: protocols in src/href

Convert & to &amp; Convert < to &lt; Convert > to &gt; Convert " to &quot; Convert ' to &#x27;

akr
  • 21
  • 1
  • 3
  • Although it's phrased differently, this is essentially a duplicate: https://security.stackexchange.com/questions/142333/bypass-xss-filter-where-is-filtered-as-lt-but-is-not-escaped – Arminius Nov 23 '16 at 17:27
  • 2
    Does this answer your question? [XSS inside HTML attribute where < and " are filtered](https://security.stackexchange.com/questions/142333/xss-inside-html-attribute-where-and-are-filtered) – August Janse Mar 17 '22 at 10:17

1 Answers1

1

No, that is not possible (note though that the rule is about HTML common attributes and that other attributes like href, src, style, and event handlers are specifically excluded).

The reason that the rule exists is given in the same document you quote:

Except for alphanumeric characters, escape all characters with ASCII values less than 256 with the &#xHH; format (or a named entity if available) to prevent switching out of the attribute. The reason this rule is so broad is that developers frequently leave attributes unquoted. Properly quoted attributes can only be escaped with the corresponding quote. Unquoted attributes can be broken out of with many characters, including [space] % * + , - / ; < = > ^ and |.

The exclusion of non-common attributes is actually relevant in practice. Consider this for example:

<img src="no" onerror="alert('[some user input]')">

An attacker can perform an XSS attack via ');alert('1 if the single quotes are just HTML-encoded. The input would be transformed to &#39;);alert(&#39;1, which would be parsed by the HTML parser of the browser, which then passes it on - in decoded form - to the JavaScript engine.

tim
  • 29,018
  • 7
  • 95
  • 119
  • Thanks @tim "An attacker can perform an XSS attack via ');alert('1 " here javascript escaping is needed. i just wanted to know the possibility to perform xss in attribete like – akr Nov 23 '16 at 13:57
  • @akr I assumed so, but still thought that it is important to note that not all HTML attributes can be handled the same way. In your example encoding `"` would be enough. But the OWASP guide tries to be more general and tries to cover all corner cases. If your example would be `` then just encoding `"` would not be enough. This is for example important if a templating engine is used to automatically encode output - or even if you have functions like `encodeHTML`, `encodeHTMLAttribute` etc - and if the HTML templates are written by security-unware users. – tim Nov 23 '16 at 14:07