search

OWASP / owasp-java-encoder

The OWASP Java Encoder is a Java 1.5+ simple-to-use drop-in high-performance encoder class with no dependencies and little baggage. This project will help Java web developers defend against Cross Site Scripting!
https://owasp.org/www-project-java-encoder/
BSD 3-Clause "New" or "Revised" License
483 stars 112 forks source link

Possible to inject expression property resulting XSS attack in IE browser by using certain document modes #47

Closed vijaysn2702 closed 3 years ago

vijaysn2702 commented 3 years ago

if we use css expression property, client side code is getting executed even after applying css encoding. Example: xss:expression(alert(1)); do we need to validate properties like 'expression' and url only only contains http and https before applying css encoding as per cheat sheet? or is it cheat sheet older one?

jmanico commented 3 years ago

Yea this is a legacy issue with older versions of IE. What version of IE is this a problem with?

And if you submit a PR on this perhaps we can at least modify the Javadoc to explain this.

My advice is, if you need to support older version of IE then be very strict in terms of what you allow in your template. I would not specifically validate out “expression” I would strictly validate what is good and reject the rest.

Can we see a little snippet of the vulnerable code to analyze more? I can give you a better suggest if you do.

Aloha,

Jim Manico @Manicode

On Mar 22, 2021, at 2:38 AM, vijaysn2702 @.***> wrote:

 if we use css expression property, client side code is getting executed even after applying css encoding. Example: xss:expression(alert(1)); do we need to validate properties like 'expression' and url only only contains http and https before applying css encoding?

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or unsubscribe.

jmanico commented 3 years ago

Politely closing this out, its a very old issue and IE is going away.