Fierozen / owasp-esapi-java

Automatically exported from code.google.com/p/owasp-esapi-java
Other
0 stars 0 forks source link

XSS Cheat sheet on safe vs unsafe CSS property value syntax is inaccurate #240

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago
The cheat sheet currently gives three examples of CSS

1. <style>selector { property : ...ESCAPE UNTRUSTED DATA BEFORE PUTTING 
HERE...; } </style>     property value
2. <style>selector { property : "...ESCAPE UNTRUSTED DATA BEFORE PUTTING 
HERE..."; } </style>   property value
3. <span style="property : ...ESCAPE UNTRUSTED DATA BEFORE PUTTING 
HERE...">text</style>       property value

only 2 is safe against IE's expression syntax even when correctly encoded (see 
Issue 236).

The text then goes on to say:

"All attributes should be quoted but your encoding should be strong enough to 
prevent XSS when untrusted data is placed in unquoted contexts."

which is impossible since in an unquoted context, IE will still honour an 
encoded expression.

There's a missing syntax:

4. <span style="property : '...ESCAPE UNTRUSTED DATA BEFORE PUTTING 
HERE...'">text</style>       property value

It's a dangerous omission since it's the only safe syntax for the style 
attribute.

I think three things need to be done:

 * Add syntax example 4
 * Mark 1 and 3 as "unsafe"
 * Modify the wording underneath to read "All attributes should be quoted or they will be vulnerable to XSS" or similarly acknowledge that encoding isn't enough in unquoted contexts.

Original issue reported on code.google.com by jon.trap...@googlemail.com on 6 Aug 2011 at 10:42