Details
-
Bug
-
Status: Open
-
Minor
-
Resolution: Unresolved
-
None
-
None
-
None
Description
The current implementation risks exceptions in strict javascript engines.
| return source == null ? null : Encode.forJavaScript(source).replace("\\-", "\\u002D"); |
Substitutes on top of the encoder's result with the intent to correct the encoder are near-sighted (i.e. suffer from the context-free approach). If source had a backslash followed by a dash, i.e. raw \-, the forJavaScript call would properly change the backslash into 2 backslashes raw \\- (this would result in the javascript engine turning the string literal back to raw \-). But the subsequent replace call will destroy the context of the second backslash, turning the string into raw \\u002D which would turn to raw \u002D in the javascript engine's variable.
I argue for dropping the .replace() call (aiming at disabling malicious comment injection) here and encoding the opening angle bracket raw < as raw \u003C in the Encode.forJavaScript implementation. This will protect against both the malicious comment injection and the injection of closing script tags raw <\script> forcing the javascript interpreter to drop out of the string literal context and drop out of the script context.
The existing prefixing of forward slashes with a backslash agrees with JSON but not with Javascript. It should be removed in favour of replacing just the opening angle bracket.
SingleEscapeCharacter :: one of ' " \ b f n r t v
https://www.ecma-international.org/ecma-262/6.0/#sec-literals-string-literals
I noticed that JSONObject#toString suffers from the same idea of a non-universal protection of the forward slash. I guess both XSSAPI and JSONObject#toString reuse the same code.
Attachments
Issue Links
- fixes
-
-
- Open
-
- is caused by
-
-
- Closed
-