5

Given some JavaScript which modifies the page's title by taking in variable data

document.title = someVariable

I am looking to address dom based XSS while keeping the title fairly readable. Therefore, doing something like escape() or encodeURI() will not work.

I do not necessarily have control over how the document.title may be used in other scripts, so I want to ensure that I do some sanitization in the least destruction matter, but avoid possible scenarios where the way the variable is later processed could possibly be decoded in such a way it latter becomes XSS.

My first thoughts were something like this:

someVariable = someVariable.replace('<script', 'noscript');
someVariable = someVariable.replace(/[<>'"]/g, '').replace(/%3[CEce]/, '');
document.title = someVariable;

Which is minimally destructive from a readability standpoint, removing these characters could potentially break the later code, but I would rather break code in favor of security.

I feel like I am rolling my own here, so I would like to know if there is better approach that will meet the readability requirements. If not, are there any other filters or sanitization recommended?

Eric G
  • 9,691
  • 4
  • 31
  • 58

2 Answers2

1

If you need to take this approach then why not remove everything apart from alphanumerics and the space character? i.e. go for a whitelist rather than a blacklist. You do not know how standards in HTML and JavaScript may change in future so only allow the characters likely to be good instead of disallowing known bad.

I do not necessarily have control over how the document.title may be used in other scripts, so I want to ensure that I do some sanitisation in the least destruction matter, but avoid possible scenarios where the way the variable is later processed could possibly be decoded in such a way it latter becomes XSS.

My question to you is who does have control? Of course the correct way to handle this is to correctly output encode when output to the page - I'm just wondering why this is not an acceptable solution for your system. If you cannot control other scripts, how do you know they are secure in other ways?

Replacing <script> does not stop scripts from being embedded. There are lots of other ways to inject script. e.g.

<img src="x" onerror="alert('xss')" />
SilverlightFox
  • 33,408
  • 6
  • 67
  • 178
  • This is in a firefox addon content script. The content script can interact with any page possible. While I would not be responsible for poor security on someone's site abusing my addon, I would like to limit it. Whitelisting to English/ASCII is not an option since international characters in the title are valid, as well as glyphs/windings in UTF, etc. – Eric G Feb 21 '15 at 19:50
0

The best solution would be to blacklist certain characters and sequences (recursively). It all depends on how much usability you are willing to sacrifice for security. You can blacklist scripts tags and somebody can use img src=# onerror etc. It can't hurt to do that if these sequences aren't ever expected but again I don't know the use of your application.

I believe what you are doing is not good but it is the best approach possible here.

user3632719
  • 129
  • 4