finn-no / xss-html-filter Goto Github PK

Angle bracket entities in a href attribute cause the closing quote for the attribute to be converted to an entity, leaving the tag open. Other tags containing scripts can then be added after it.

Input:
<a href='&#60;/a&#x3e;'>Link</a><a href='&#60;/a&#x3e;&#39;&#60;script&#x3e;alert(1)&#x3c;/script&#x3e;'>Link</a>

Output:
<a href="</a>&quot;>Link</a><a href="</a>'<script>alert(1)</script>&quot;>Link</a>

Hi,

I was testing the filter against a set of XSS test inputs. It seems that your filter is still vulnerable to XSS such as with inputs that contain XSS payloads in the HTML tags. Examples are:

<a href="jAvAsCrIpT&colon;alert&lpar;1&rpar;">X</a>
<img src=xx:xx" on error="alert(1);">, where it filters the on error="alert(1);" but not the <img src=xx:xx".

I kindly suggest that the whitelist used by the filter restricts tags with these attributes and events to make it more robust against XSS. Also, due to the Integer.decode() API, the filter outputs an error with inputs that contain #09, for example:
<A HREF="h tt p://6&#09;6.000146.0x7.147/">XSS</A>

A full report can be read in our paper, "Assessment of Dynamic Open-source Cross-site Scripting Filters as Security Devices in Web Applications".

Thank you.

like

> hello

output

> hello

But I want to get this:

> hello

With input:

<a href='&#09'>

This throws a NumberFormatException on line:

final int decimal = Integer.decode(match).intValue();