Rabu, 06 April 2011

JavaScript injection in JSON inserted directly into script tag

Rabu, 06 April 2011

Pass data from backend to javascript is done in many different ways. One of the most simple is to inject(<%= %>) value as function argument inside of script tag. Unfortunately this pattern has well known XSS vulnerability but in a little different form than same injection in html template.

<script type="text/javascript">
App.initizalizeSomething(<%= data.to_json %>)

The reason is that browser treat </script> as close script tag no matter where is it inserted into script. So, the script tag can be closed unexpectedly and opened again with any code if the data argument will contain correctly formed sequence, like:

Use #html_escape helper is wrong here because it has different type of escaping.
For example you don't need to escape double quote in this case.

Rails core team is aware of that problem and implemented special helper:
    # A utility method for escaping HTML entities in JSON strings
# using \uXXXX JavaScript escape sequences for string literals:
# json_escape("is a > 0 & a < 10?")
# # => is a \u003E 0 \u0026 a \u003C 10?
# Note that after this operation is performed the output is not
# valid JSON. In particular double quotes are removed:
# json_escape('{"name":"john","created_at":"2010-04-28T01:39:31Z","id":1}')
# # => {name:john,created_at:2010-04-28T01:39:31Z,id:1}
# This method is also aliased as +j+, and available as a helper
# in Rails templates:
# <%=j @person.to_json %>
def json_escape(s)

Implementation can be found in Rails source code.

Related Posts :

4 komentar:

p90x mengatakan...

Preferably, when you gain knowledge, are you able to mind updating your website with an increase of information? It is very ideal for me.

mikerosss mengatakan...

I just added your blog site to my blogroll, I pray you would give some thought to doing the same.

cheap karen millen dress mengatakan...

thanks for this great post wow... it's very wonderful

replica mont blanc pens mengatakan...

Mens Must Have Accessories www.wheelersgifts.com/replica-t-shirt

Posting Komentar

Related Posts Plugin for WordPress, Blogger...




BACA BERITA is proudly powered by Blogger.com | Template by Blog Zone