[jira] [Commented] (SLING-5946) XSSAPI#encodeForJSString is not restrictive enough

Wed, 04 Dec 2019 15:21:32 -0800 


    [ 
https://issues.apache.org/jira/browse/SLING-5946?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16988288#comment-16988288
 ] 

Ilguiz Latypov commented on SLING-5946:
---------------------------------------

Please reopen this due to an improper implementation risking exceptions in 
strict javascript engines.
| return source == null ? null : Encode.forJavaScript(source).replace("\\-", 
"\\u002D");|
 
Substitutes on top of the encoder's result with the intent to correct the 
encoder are near-sighted (i.e. suffer from the context-free approach). If 
{{source}} had a backslash followed by a dash {{raw \-}}, the {{forJavaScript}} 
call would properly change the backslash into 2 backslashes {{raw \\-}} (this 
would result in the javascript engine turning the string literal back to {{raw 
\-}}). But the subsequent {{replace}} call will destroy the context of the 
second backslash, turning the string into {{raw \\u002D}} which would turn to 
{{raw \u002D}} in the javascript engine's variable.

I argue for dropping the {{.replace()}} call here and encoding the opening 
angle bracket {{raw <}} as {{raw \u003C}} in the Encode.forJavaScript() 
implementation. This will also protect against the closing script tags {{raw 
</script>}} forcing the javascript interpreter to drop out of the string 
literal context and drop out of the script context. The existing prefixing of 
forward slashes with a backslash agrees with JSON but not with Javascript. It 
should be removed in favour of replacing just the opening angle bracket.

> XSSAPI#encodeForJSString is not restrictive enough
> --------------------------------------------------
>
>                 Key: SLING-5946
>                 URL: https://issues.apache.org/jira/browse/SLING-5946
>             Project: Sling
>          Issue Type: Bug
>          Components: Extensions
>    Affects Versions: XSS Protection API 1.0.8
>            Reporter: Vlad Bailescu
>            Assignee: Robert Munteanu
>            Priority: Major
>             Fix For: XSS Protection API 1.0.12
>
>         Attachments: SLING_5946.patch
>
>
> Since SLING-5445, {{XSSAPI#encodeForJSString}} is no longer properly encoding 
> {{</script>}} and {{<!--}}. We should revert to using OWASP 
> {{Encode#forJavaScript}} and handle - characters correctly for JSON too, by 
> replacing them with {{\u002D}}



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to