Menu
Say I have the following webpage:
<html>
<script>
document.write('querystring=' + location.search.substr(1));
</script>
<html>
I open it at a URL like this:
http://completely-secure-site/?<script>alert('fsecurity')</script>
In all browsers tried (Chrome 57, Firefox 52 and Safari 10) the result is:
querystring=%3Cscript%3Ealert(%27fsecurity%27)%3C/script%3E
Because angle brackets <> are not valid URL characters they seem to get automatically encoded by the browser on the way in, before they can get anywhere near the JS runtime.
This leads me to believe that simply rendering the querystring directly on the client using document.write is always safe, and not a possible XSS vector. (I realize that there are many other ways in which an app can be vulnerable of course, but let's stick to the precise case described here.)
Am I correct in this assumption?
Not relevant to the question, but an interesting aside. If I decode the URI first then browser behavior is different: document.write(decodeURI(location.search.substr(1)));. The XSS Auditor in both Chrome and Safari blocks the page, while Firefox shows the alert.
546
If I use Query String ?<script>alert("d")</script> on IE6 on Windows XP I get the injected code show the alert, this happens also using decodeURI or decodeURIComponent in the page, so I would say your second assumption is right if IE6 is still a reasonable browser: it is a feature of modern browsers
I also see Firefox 53 showing injected XSS alert when using the decode methods, Opera 44 & Chrome 57 (all on windows) block the code.
54
According to RFC 3986, section 2.4 inbound encoding of unsafe characters is standardized. Although I recommend to not rely on that for two reasons:
39
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
