Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Javascript/jQuery XSS potential reading from query strings

Tags:

javascript

jquery

xss

html-entities

My javascript reads data from a query string and puts that data into a text box using jQuery.val().

This works fine but I am wondering is this safe from XSS attacks?

Say the query string looked like...

site.com?q="javascript:alert(document.cookie)

Which would effectively do:

jQuery.val('"javascript:alert(document.cookie)')

From what I have tested in IE8 / firefox this sets the input value as seen and doesn't do the actual injection.

If I run this function over the string first:

function htmlEncode(str) {
    return str.replace(/</g, '&lt;').replace(/>/g, '&gt;').replace(/'/g, '&#039;').replace(/"/g, '&quot;');
}

Then you literally see &quot;javascript:alert(document.cookie) in the input value which is not what I want.

Using jQuery 1.5.2 I guess my question is does jQuery.val() handle the HTML entities for you and is therefore considered safe?

like image 620
fire Avatar asked May 07 '11 14:05

fire

1 Answers

Given the following:

jQuery("#SomeTextbox").val("new value for SomeTextbox")

the jQuery code for the val function simply does this:

this.value = "new value for SomeTextbox";

where this is a reference to the Text object in the DOM that represents the textbox with id "SomeTextbox". The string "new value for SomeTextbox" is stored as the value property of that DOM object. It does not get transformed or sanitized in any way. But it doesn't get parsed/interpreted by the JavaScript engine either (e.g. as it would with InnerHTML). So regardless of what your argument to val is, it isn't going to "do" anything. It just changes the value of a string property of an object in the DOM. So, yes, it would be safe.

EDIT:

Here is some additional information that you may find helpful.

In general, putting something into a text box, no matter how malicious it may appear, and regardless of how it gets there is "safe" as long as it stays in the text box. But it matters a lot where it goes from there.

If the content of the textbox is subsequently rendered in a stream of parsed HTML, then it is no longer safe. A common scenario is to store the content of a textbox in a database, then retrieve it later and render it in a context where the browser parses is as HTML. If the re-display occurs in the context of a different user, it creates an opportunity for a malicious user to enter data into the textbox in order to gain access to another users private information at some future time.

like image 88
Joel Lee Avatar answered Sep 20 '22 02:09

Joel Lee
Sign in to Comment

Related questions

an alternative to hiding data in divs?
why is this code not targeting the right selector
jQuery: Change the border color of ONE table cell
Cross domain ajax json
How to call a member function from another member function in Javascript
how to read keyboard state outside of keyboard event?
How to check if a variable inside an object that's inside another object is set (js)?
Why does window.onload work while document.onload doesn't?
Add swipe left/right to web page, but use default swipe up/down
Using a new operator - from John Resig #36
How to print_r in PHP a MongoDB Collection?
Detect Visited Link In Chrome
Javascript Framework for Game UI [closed]
How would one create a triangle container for an image (x-browser)
javascript select text in textarea onload
How to detect elements overlapping (overlaying) using JavaScript?
Why does this closure-scoped variable lose its value?
How to access attribute of object as a variable?
innerHTML with current form values
drawing a line in google maps perpendicular to two points

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!