Regex HTML Sanitisation can work
Friday, 18 March 2011
Dear Pádraic Brady,
I have not received any emails with any exploits, I am disappointed I want my HTML regex sanitiser to be broken please. Apparently you can find 2-5 vulnerabilities per solution so please execute XSS in my regex. Thanks! I’ll be very impressed if you do and I will promise to dedicate a blog post to you.
Please don’t stop there though 🙂 I have a JavaScript sandbox that you can bypass that uses regular expressions.
JavaScript Regex sandbox
Thanks very much
Kind Regards
Gareth
No. 1 — March 18th, 2011 at 12:55 pm
‘expression’ seems to be allowed inside CSS styles.. is that intended?
No. 2 — March 18th, 2011 at 1:27 pm
The gauntlet: it has been thrown.
No. 3 — March 18th, 2011 at 1:44 pm
@PaulStone
Hi please provide a vector 🙂
No. 4 — March 18th, 2011 at 2:06 pm
xxx
works in IE8 in quirks/IE7 mode.
No. 5 — March 18th, 2011 at 2:07 pm
<html&g;<div style=”x:expression(this.x?0:alert(this.x=’xss’))”>xxx</div>
No. 6 — March 18th, 2011 at 2:09 pm
Well, you get the idea (preview for comments would be nice :). Plain expression(alert(‘xss’)) would also work but the above version doesn’t DOS the browser with endless alerts.
No. 7 — March 18th, 2011 at 2:16 pm
@Paul
Hey paul I tried in IE8 using the vector your describe and the opening tag is removed so the output is xxx</div> I’ll check my VM in IE7
No. 8 — March 18th, 2011 at 2:19 pm
Ah, it appears to be a bug in your code when running HTMLReg/CSSReg on Firefox 4 RC. The HTML gets sanitised when running on 3.6 or another browser.
No. 9 — March 18th, 2011 at 2:29 pm
@Paul
Tried on FF 4 RC and the output is : xxx</div> please could you provide a screenshot and a pastebin of the code? Thanks!
No. 10 — March 18th, 2011 at 3:48 pm
Gareth,
I picked up your gauntlet, looked under it, and found something naughty. Could you supply an email address since I’m not big on making things public? Mine is ****
Also, your reply failed to clarify that HTMLReg is a Javascript library that parses input using the browser DOM (which is not a JS regular expression driven process). Comparing Oranges to Apples doesn’t produce a good argument. Granted, while sipping on my Guinness last night I could have put PHP in a larger bold font throughout my article ;).