double-quote is always URI-encoded

salesforce / secure-filters

Anti-XSS Security Filters for EJS and More

BSD 3-Clause "New" or "Revised" License

139 stars 39 forks source link

double-quote is always URI-encoded #25

Closed stash closed 10 years ago

stash commented 10 years ago

Fairly sure that in all environments " will get encoded by encodeURIComponent() to %22. The line removed is wrong (had %27 instead of %22), but was getting masked by encodeURIComponent in all the test environments.

stash commented 10 years ago

@amalkrishnancg a quick review for you if you've got a few minutes.

amalkrishnancg commented 10 years ago

" Internet Explorer (IE) doesn't encode double quote characters (") in the query part of the uniform resource identifier (URI). This behavior, besides being non standard (as stated by RFC and implemented by other browsers including Chrome or Firefox) may expose IE users to reflected XSS attacks. "

http://blog.imperva.com/2012/01/ie-bug-exposes-its-users-to-xss-attacks-.html

stash commented 10 years ago

ok then! closing as invalid. :)

amalkrishnancg commented 10 years ago

Yeah, IE is not fun :)