Regex HTML Sanitisation can work

Friday, 18 March 2011

Dear Pádraic Brady,

I have not received any emails with any exploits, I am disappointed I want my HTML regex sanitiser to be broken please. Apparently you can find 2-5 vulnerabilities per solution so please execute XSS in my regex. Thanks! I’ll be very impressed if you do and I will promise to dedicate a blog post to you.

HTML Regex sandbox

Please don’t stop there though 🙂 I have a JavaScript sandbox that you can bypass that uses regular expressions.
JavaScript Regex sandbox

Thanks very much

Kind Regards
Gareth

The entry 'Regex HTML Sanitisation can work' was posted on March 18th, 2011 at 10:48 am and is filed under javascript, php, Security, xss. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.

10 Responses to “Regex HTML Sanitisation can work”

  1. Paul Stone writes:
    No. 1 — March 18th, 2011 at 12:55 pm

    ‘expression’ seems to be allowed inside CSS styles.. is that intended?

  2. Rob Zienert writes:
    No. 2 — March 18th, 2011 at 1:27 pm

    The gauntlet: it has been thrown.

  3. Gareth Heyes writes:
    No. 3 — March 18th, 2011 at 1:44 pm

    @PaulStone

    Hi please provide a vector 🙂

  4. Paul Stone writes:
    No. 4 — March 18th, 2011 at 2:06 pm

    xxx

    works in IE8 in quirks/IE7 mode.

  5. Paul Stone writes:
    No. 5 — March 18th, 2011 at 2:07 pm

    <html&g;<div style=”x:expression(this.x?0:alert(this.x=’xss’))”>xxx</div>

  6. Paul Stone writes:
    No. 6 — March 18th, 2011 at 2:09 pm

    Well, you get the idea (preview for comments would be nice :). Plain expression(alert(‘xss’)) would also work but the above version doesn’t DOS the browser with endless alerts.

  7. Gareth Heyes writes:
    No. 7 — March 18th, 2011 at 2:16 pm

    @Paul

    Hey paul I tried in IE8 using the vector your describe and the opening tag is removed so the output is xxx</div> I’ll check my VM in IE7

  8. Paul Stone writes:
    No. 8 — March 18th, 2011 at 2:19 pm

    Ah, it appears to be a bug in your code when running HTMLReg/CSSReg on Firefox 4 RC. The HTML gets sanitised when running on 3.6 or another browser.

  9. Gareth Heyes writes:
    No. 9 — March 18th, 2011 at 2:29 pm

    @Paul

    Tried on FF 4 RC and the output is : xxx</div> please could you provide a screenshot and a pastebin of the code? Thanks!

  10. Padraic Brady writes:
    No. 10 — March 18th, 2011 at 3:48 pm

    Gareth,

    I picked up your gauntlet, looked under it, and found something naughty. Could you supply an email address since I’m not big on making things public? Mine is ****

    Also, your reply failed to clarify that HTMLReg is a Javascript library that parses input using the browser DOM (which is not a JS regular expression driven process). Comparing Oranges to Apples doesn’t produce a good argument. Granted, while sipping on my Guinness last night I could have put PHP in a larger bold font throughout my article ;).

«
»