Reputation: 1627
Bypass XSS blacklist "<", ">", "&" input nvarchar
I'm using some software that is blacklisting certain characters "<", ">", "&" for user submitted values.
It isn't HTML encoding the values when displaying the submitted results (outputs all submitted results in a table).
It stores the values in a nvarchar field in Sql Server.
Can you find a XSS vulnerability in this blacklist approach? Looking to see if can get software vendor to HTML encode the output.
EDIT
I've found that the values in the table are first output as javascript variables, and then added to the page. The values in the javascript are javascript encoded. The javascript encoding is doing it's job and escapes values in the string variables.
I'm looking for xss vulnerabilities in the html rendered from this javascript string variable.
Failed Ideas
Given that uses javascript, had a go with javascript unicode representation of < >
"\u003cscript\u003ealert('hi');\u003/script\u003e"
However as mentioned above javascript encoder is doing it's job, and just outputs as text.
Upvotes: 1
Views: 13285
Answers (1)
Reputation: 1234
I know this is old, but blacklisting angle brackets does NOT prevent XSS in all cases.
A counter-example is if you put user input into an HTML attribute; e.g. creating a mailto link with their email. If they enter this as their email address:
" onclick="alert('XSS without angle brackets!')"
They have XSS'd your website.
Upvotes: 3
Related Questions
- How to prevent XSS (Cross Site Scripting) whilst allowing HTML input
- Bypassing ASP.NET "validaterequest" for stored XSS attack
- How can I prevent XSS attack in Asp.net Webforms?
- Is escaping < and > sufficient to block XSS attacks?
- ASP.NET MVC XSS Input Field strip HTML/Scripts or Sanitize
- Bypassing query string validation (XSS prevention) in ASP.NET
- Replace dangerous char avoid xss?
- In C#, how to prevent XSS while allowing HTML input, including br's?
- ASP.NET: Looking for solution to solve XSS
- asp.net sanitizing user input