Vulnerability could exists if attributeValue partially contributes to a dangerous protocol

YahooArchive / secure-handlebars

Handlebars Context Pre-compiler

BSD 3-Clause "New" or "Revised" License

45 stars 13 forks source link

Vulnerability could exists if attributeValue partially contributes to a dangerous protocol #34

Open adon-at-work opened 9 years ago

adon-at-work commented 9 years ago

For example: java{{url}}

neraliu commented 9 years ago

it is an interesting pattern that in theory can bypass any blacklist / whitelist filters. however, if we consider the attribute value context as the whole and trigger the URI parser to parse the string, then we can detect this issue.

adon-at-work commented 9 years ago

documented here is another possibility: {{url1}}{{url2}}, where {{url1}} is java and {{url2}} is script:alert(1)