|
Chris@0
|
1 # Escaping Javascript
|
|
Chris@0
|
2
|
|
Chris@0
|
3 Javascript string literals in HTML are subject to significant restrictions due
|
|
Chris@0
|
4 to the potential for unquoted attributes and uncertainty as to whether
|
|
Chris@0
|
5 Javascript will be viewed as being `CDATA` or `PCDATA` by the browser. To
|
|
Chris@0
|
6 eliminate any possible XSS vulnerabilities, Javascript escaping for HTML extends
|
|
Chris@0
|
7 the escaping rules of both ECMAScript and JSON to include any potentially
|
|
Chris@0
|
8 dangerous character. Very similar to HTML attribute value escaping, this means
|
|
Chris@0
|
9 escaping everything except basic alphanumeric characters and the comma, period,
|
|
Chris@0
|
10 and underscore characters as hexadecimal or unicode escapes.
|
|
Chris@0
|
11
|
|
Chris@0
|
12 Javascript escaping applies to all literal strings and digits. It is not
|
|
Chris@0
|
13 possible to safely escape other Javascript markup.
|
|
Chris@0
|
14
|
|
Chris@0
|
15 To escape data in the **Javascript context**, use `Zend\Escaper\Escaper`'s
|
|
Chris@0
|
16 `escapeJs()` method. An extended set of characters are escaped beyond
|
|
Chris@0
|
17 ECMAScript's rules for Javascript literal string escaping in order to prevent
|
|
Chris@0
|
18 misinterpretation of Javascript as HTML leading to the injection of special
|
|
Chris@0
|
19 characters and entities.
|
|
Chris@0
|
20
|
|
Chris@0
|
21 ## Example of Bad Javascript Escaping
|
|
Chris@0
|
22
|
|
Chris@0
|
23 An example of incorrect Javascript escaping:
|
|
Chris@0
|
24
|
|
Chris@0
|
25 ```php
|
|
Chris@0
|
26 <?php header('Content-Type: application/xhtml+xml; charset=UTF-8'); ?>
|
|
Chris@0
|
27 <!DOCTYPE html>
|
|
Chris@0
|
28 <?php
|
|
Chris@0
|
29 $input = <<<INPUT
|
|
Chris@0
|
30 bar"; alert("Meow!"); var xss="true
|
|
Chris@0
|
31 INPUT;
|
|
Chris@0
|
32
|
|
Chris@0
|
33 $output = json_encode($input);
|
|
Chris@0
|
34 ?>
|
|
Chris@0
|
35 <html xmlns="http://www.w3.org/1999/xhtml">
|
|
Chris@0
|
36 <head>
|
|
Chris@0
|
37 <title>Unescaped Entities</title>
|
|
Chris@0
|
38 <meta charset="UTF-8"/>
|
|
Chris@0
|
39 <script type="text/javascript">
|
|
Chris@0
|
40 <?php
|
|
Chris@0
|
41 // this will result in
|
|
Chris@0
|
42 // var foo = "bar"; alert("Meow!"); var xss="true";
|
|
Chris@0
|
43 ?>
|
|
Chris@0
|
44 var foo = <?= $output ?>;
|
|
Chris@0
|
45 </script>
|
|
Chris@0
|
46 </head>
|
|
Chris@0
|
47 <body>
|
|
Chris@0
|
48 <p>json_encode() is not good for escaping javascript!</p>
|
|
Chris@0
|
49 </body>
|
|
Chris@0
|
50 </html>
|
|
Chris@0
|
51 ```
|
|
Chris@0
|
52
|
|
Chris@0
|
53 The above example will show an alert popup box as soon as the page is loaded,
|
|
Chris@0
|
54 because the data is not properly escaped for the Javascript context.
|
|
Chris@0
|
55
|
|
Chris@0
|
56 ## Example of Good Javascript Escaping
|
|
Chris@0
|
57
|
|
Chris@0
|
58 By using the `escapeJs()` method in the Javascript context, such attacks can be
|
|
Chris@0
|
59 prevented:
|
|
Chris@0
|
60
|
|
Chris@0
|
61 ```php
|
|
Chris@0
|
62 <?php header('Content-Type: text/html; charset=UTF-8'); ?>
|
|
Chris@0
|
63 <!DOCTYPE html>
|
|
Chris@0
|
64 <?php
|
|
Chris@0
|
65 $input = <<<INPUT
|
|
Chris@0
|
66 bar"; alert("Meow!"); var xss="true
|
|
Chris@0
|
67 INPUT;
|
|
Chris@0
|
68
|
|
Chris@0
|
69 $escaper = new Zend\Escaper\Escaper('utf-8');
|
|
Chris@0
|
70 $output = $escaper->escapeJs($input);
|
|
Chris@0
|
71 ?>
|
|
Chris@0
|
72 <html xmlns="http://www.w3.org/1999/xhtml">
|
|
Chris@0
|
73 <head>
|
|
Chris@0
|
74 <title>Escaped Entities</title>
|
|
Chris@0
|
75 <meta charset="UTF-8"/>
|
|
Chris@0
|
76 <script type="text/javascript">
|
|
Chris@0
|
77 <?php
|
|
Chris@0
|
78 // this will look like
|
|
Chris@0
|
79 // var foo =
|
|
Chris@0
|
80 bar\x26quot\x3B\x3B\x20alert\x28\x26quot\x3BMeow\x21\x26quot\x3B\x29\x3B\x20var\x20xss\x3D\x26quot\x3Btrue;
|
|
Chris@0
|
81 ?>
|
|
Chris@0
|
82 var foo = <?= $output ?>;
|
|
Chris@0
|
83 </script>
|
|
Chris@0
|
84 </head>
|
|
Chris@0
|
85 <body>
|
|
Chris@0
|
86 <p>Zend\Escaper\Escaper::escapeJs() is good for escaping javascript!</p>
|
|
Chris@0
|
87 </body>
|
|
Chris@0
|
88 </html>
|
|
Chris@0
|
89 ```
|
|
Chris@0
|
90
|
|
Chris@0
|
91 In the above example, the Javascript parser will most likely report a
|
|
Chris@0
|
92 `SyntaxError`, but at least the targeted application remains safe from such
|
|
Chris@0
|
93 attacks.
|
