Is JavaScript Injection possible if the URL is inserted into a JavaScript string?

Question

Is it possible to inject and execute javascript in the following context? Or terminate the JavaScript string?

• The URL is inserted into a JavaScript string (double-quote delimited)
• The URL is URL encoded by the browser and not the server side. (for simplicity, only using Firefox and Chrome)
• The URL is never decoded (either in JavaScript or the back end)

Example:

var baseURL = "http://example.com/?[USER CONTROLLED INPUT]";

Note that one may cause a unterminated string literal JavaScript error by providing a string that ends in "\". Assume this error does not impact other use of user input.

Note: Browser URI encoding currently varies.

Given the following URL:

example.com?!*'();:@&=+$,/?[]"%-.<>\^_`{|}~#

• FireFox 27.01 submits:

  http://example.com/?!*%27%28%29;:@&=+$,/[]%22%-.%3C%3E\^_%60{|}~#
  

• Chromium 32.0 submits:

  http://example.com/?!*%27();:@&=+$,/?[]%22%-.%3C%3E\^_`{|}~#
  

Answer 1

If this is the only injection point then I have to agree with your assumption that the only damage one could do is an unterminated JavaScript string literal.

However, if there are multiple injection points, i. e., three or more, in one single line like this:

var x = "[USER CONTROLLED INPUT]", y = "[USER CONTROLLED INPUT]", z = "[USER CONTROLLED INPUT]";

It would be possible to inject JavaScript code:

x = \
y = +alert(1)+
z = //

As this would result in:

var x = "\", y = "+alert(1)+", z = "//";

It’s required that the injection points are all in one line as JavaScript doesn’t allow literal line breaks in string literals.