Reputation: 409
Can you still XSS against this filter?
I have a profile field that users can post their data onto. I block anything with the following regex pattern /<(.+?)>/
It blocks anything that starts with < and ends with >. Will this prevent XSS? I mean, there isn't much they can do now without being able to use the <> HTML tags.
Upvotes: 0
Views: 376
Answers (2)
Reputation: 4416
Browsers are vey forgiving when parsing html. I suspect the following input without closing the tag, would work:
<input onfocus=alert(1) autofocus type=text
Use entity escaping or a whitelist instead
Oh, and . does not match \n, so there you have another bypass:
<script
>
Upvotes: 0
Reputation: 39451
There are in fact xss attacks that don't require a closing bracket.
For example, this page lists one that works in IE
<IMG SRC="javascript:alert('XSS')"
Anyway the fact that you didn't realize this should teach you a lesson. Blacklisting like this is error prone and doomed to failure. You should use a template that applies the appropriate escaping (HTML entity encoding in this case but it depends on the context the output will appear in).
If you can get away with it, limit the input to a safe character set like alphanumerics so you don't have to worry about this in the first place. And make sure you handle unicode and null characters properly.
Upvotes: 4
Related Questions
- JavaScript: Can I use the filter function with regular expressions?
- Is filter_input-regexp enough for inputs with "little freedom" ?
- Preventing XSS using Regex
- Bypassing XSS escape filter
- is my anti xss function safe?
- Is possible to bypass my regex and execute any javascript?
- Does this set of regular expressions FULLY protect against cross site scripting?
- XSS attack via this filter?
- XSS regular expression
- XSS PHP Log Filter?