IT Security Stack Exchange
IT Security Stack Exchange
  • It's waiting for the `-->`, but if a `` came instead it would have all been fine. The ` – Adam A Sep 05 '18 at 22:31

    • 2 Answers2

    3

    The correct answer to this is "because the HTML parser in the spec says so".

    From the normal "inside a script tag" state, An HTML comment start (<!--) puts the parser into an escaped state, and from that mode a script start tag (<script>) puts into into a double escaped state in which script closing tags (</script>) are ignored.

    Why on Earth does it do this? Backwards compatibility for inserting code into browsers that didn't support JS. Chaals gives a great answer on https://github.com/w3c/html/issues/1617, and I'll show his example of what was once normal code here:

    <script>
  <!--    //hide from non-JS browsers
  function doSomething() {
    var coolScript = "<script>" + theCodeICopied + "</script>";
    document.write(coolScript);
  }
  // And if you forget to close your comment here, things go funnny
  -->
</script>

    So now we're stuck with this page-breaking vulnerability unless you escape both start AND end script tags.

    Adam A
    • 161
    • 8
    0

    Why does “<!--<script>” in a JS string cause an XSS vulnerability?

    Extraneous Open Brackets:

    Submitted by Franz Sedlmaier, this XSS vector could defeat certain detection engines that work by first using matching pairs of open and close angle brackets and then by doing a comparison of the tag inside, instead of a more efficient algorythm like Boyer-Moore that looks for entire string matches of the open angle bracket and associated tag (post de-obfuscation, of course). The double slash comments out the ending extraneous bracket to supress a JavaScript error:

    <<SCRIPT>alert("XSS");//<</SCRIPT>

    Also see the next example at that link: "No closing script tags", having invalid code like that is incorrect. If that were the whole page and it contained nothing else then there wouldn't be an XSS vulnerability nor would anything be displayed. You are opening a comment and terminating it with an EOF, that is why nothing is printed. A do loop will always be executed at least once, even if the condition is false, because the code block is executed before the condition is tested; it will execute everything up to a while and either loop or terminate the loop.

    Rob
    • 530
    • 1
    • 3
    • 11
    • Appreciate the link. What you'd said about the page is not true though - copying that into an HTML file prints exactly what I said it would into Chrome or Firefox. I should remove the "do" because it's just invalid/irrelevant junk. It doesn't have any affect on the HTML parsing. – Adam A Sep 03 '18 at 08:19
    • Could you quote the specific sentence that you disagree with. Copying that into a file starts a comment and terminates it with an EOF. We need a longer example if you don't want us to guess what comes afterwards. – Rob Sep 03 '18 at 08:23
    • It doesn't start a comment that ends with an EOF. The browser interprets it all as being content in the – Adam A Sep 03 '18 at 08:44
    • 1
      FWIW, you're onto something. The parser for – Adam A Sep 03 '18 at 09:30