Full Disclosure mailing list archives
Re: [A bug!] Whom to blame, the HTML interpreter or the JavaScript compiler?
From: Wayne Schroeder <raz () chewies net>
Date: Sat, 11 Oct 2003 00:40:14 -0500
At this point, I'm about ready to classify your email as flamebait. I'm
not quite sure if you're not just yanking everyone's chain here. The
only issue that this could ever cause is if somone allowed un trusted un
escaped data into a javascript <script> tag set. This of course is a
BadThing(tm) and is just another XSS vlun method. It's not a vuln or
bug with any web browser. You might as well blame them for being
standards compliant. It is the job of the browser to stop parsing the
stuff inside the <script> tag when it hits a </script> no matter what.
It is the web app / cgi programmer who must make sure this does not
happen, not the browsers. You might as well blame the browser for
allowing people to insert " or ' in a html tag such as a form input
value attribute.
Lets recap...
it's not any browsers fault or any javascript parsers fault.
The javascript parser only sees what is inside script tags.
Escape any data from untrusted source that goes to web browser.
To escape said text, depending on what the context is, lets say for the
sake of argument and example, a string constant in double quotes, all
you have to do is escape things that can cause issues with a \.
For instance... in perl.
my $data = "hey string</script><script>alert('PWNED');</script>";
$data =~ s/(\W)/\\$1/g;
now $data is the following:
hey\ string\<\/script\>\<script\>alert\(\'PWNED\'\)\;\<\/script\>
This string can go inside a javascript string constant and won't cause
the HTML PARSER to think it's the end of the javascript block. Some may
thing that \W is adding to many \ to the string but it gets the job
done. You could use another char set like [^<"'\\] or similar if you
were anal about it.
You can't blame web browsers for the XSS issues that lacky web coders
allow. I don't know what vendor you contacted but the only things you
mentioned were web browsers so I am guessing you contacted MS or the
mozilla team. Don't be surprised when they don't consider it a browser
bug.
fine! i am stupid then!
You said it, not me.
YOU THINK I AM STUPID CAUZ I COULDN'T EXPLAIN YOU WHAT I MEAN!!!
Something tells me they used another metric... perhaps because you're also fishing for jobs and scholarships with an 'advisory' that many people have already tried to explain is not valid. On Fri, Oct 10, 2003 at 08:53:53PM -0700, bipin gautam wrote:
fine! i am stupid then! you will regret those words when you are using my exploit's to ..... hell search google! you will find a lot! http://www.google.com.np/search?q=%22bipin+gautam%22+hUNT3R&ie=UTF-8&oe=UTF-8&hl=ne&btnG=%E0%A4%97%E0%A5%81%E0%A4%97%E0%A4%B2+%E0%A4%96%E0%A5%8B%E0%A4%9C%E0%A5%80 YOU THINK I AM STUPID CAUZ I COULDN'T EXPLAIN YOU WHAT I MEAN!!! ------------------------------------- --- bipin gautam <visitbipin () yahoo com> wrote:well... i've PERSONALLY tried it with IE 6 AND Opera 7.11 and MOZILLa....... for windows! well... for the other statistic i've been reported by friends/people like you! it does work! -------------------------------------- --- Florian Huber <florian.huber () mnet-online de> wrote:On Fri, 10 Oct 2003 10:38:59 -0700 (PDT) bipin gautam <visitbipin () yahoo com> wrote:--- [Effected] ---It's spelled "affected" ;PAll versions of "OPERA, MOZILLA and INTERNETEXPLORER"available up to this, relese DATE!Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.5a) Gecko/20030813 Mozilla Firebird/0.6.1 Definitely _not_ vulnerable... _______________________________________________ Full-Disclosure - We believe in it. Charter:http://lists.netsys.com/full-disclosure-charter.html __________________________________ Do you Yahoo!? The New Yahoo! Shopping - with improved product search http://shopping.yahoo.com _______________________________________________ Full-Disclosure - We believe in it. Charter:http://lists.netsys.com/full-disclosure-charter.html __________________________________ Do you Yahoo!? The New Yahoo! Shopping - with improved product search http://shopping.yahoo.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- [A bug!] Whom to blame, the HTML interpreter or the JavaScript compiler? bipin gautam (Oct 10)
- Re: [A bug!] Whom to blame, the HTML interpreter or the JavaScript compiler? Florian Huber (Oct 10)
- Re: [A bug!] Whom to blame, the HTML interpreter or the JavaScript compiler? bipin gautam (Oct 10)
- Re: [A bug!] Whom to blame, the HTML interpreter or the JavaScript compiler? bipin gautam (Oct 10)
- Re: [A bug!] Whom to blame, the HTML interpreter or the JavaScript compiler? Wayne Schroeder (Oct 11)
- Re: [A bug!] Whom to blame, the HTML interpreter or the JavaScript compiler? bipin gautam (Oct 10)
- Re: [A bug!] Whom to blame, the HTML interpreter or the JavaScript compiler? Florian Huber (Oct 10)
- Re: [A bug!] Whom to blame, the HTML interpreter or the JavaScript compiler? Wayne Schroeder (Oct 10)